Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
NetBSD/gnu/dist/sendmail/RELEASE_NOTES

6588 lines
321 KiB
Plaintext
Raw Normal View History

Initial import of "sendmail" 8.9.3 sources.
2000-02-07 23:05:21 +03:00
SENDMAIL RELEASE NOTES
@(#)RELEASE_NOTES 8.9.3.1 (Berkeley) 2/4/1999
This listing shows the version of the sendmail binary, the version
of the sendmail configuration files, the date of release, and a
summary of the changes in that release.
8.9.3/8.9.3 99/02/04
SECURITY: Limit message headers to a maximum of 32K bytes (total
of all headers in a single message) to prevent a denial of
service attack. This limit will be configurable in 8.10.
Problem noted by Michal Zalewski of the "Internet for
Schools" project (IdS).
Prevent segmentation fault on an LDAP lookup if the LDAP map
was closed due to an earlier failure. Problem noted by
Jeff Wasilko of smoe.org. Fix from Booker Bense of
Stanford University and Per Hedeland of Ericsson.
Preserve the order of the MIME headers in multipart messages
when performing the MIME header length check. This
will allow PGP signatures to function properly. Problem
noted by Lars Hecking of University College, Cork, Ireland.
If ruleset 5 rewrote the local address to an :include: directive,
the delivery would fail with an "aliasing/forwarding loop
broken" error. Problem noted by Eric C Hagberg of Morgan
Stanley. Fix from Per Hedeland of Ericsson.
Allow -T to work for bestmx maps. Fix from Aaron Schrab of
ExecPC Internet Systems.
During the transfer of a message in an SMTP transaction, if a
TCP timeout occurs, the message would be properly queued
for later retry but the failure would be logged as
"Illegal Seek" instead of a timeout. Problem noted by
Piotr Kucharski of the Warsaw School of Economics (SGH)
and Carles Xavier Munyoz Baldo of CTV Internet.
Prevent multiple deliveries on a self-referencing alias if the
F=w mailer flag is not set. Problem noted by Murray S.
Kucherawy of Concentric Network Corporation and Per
Hedeland of Ericsson.
Do not strip empty headers but if there is no value and a
default is defined in sendmail.cf, use the default.
Problem noted by Philip Guenther of Gustavus Adolphus
College and Christopher McCrory of Netus, Inc.
Don't inherit information about the sender (notably the full name)
in SMTP (-bs) mode, since this might be called from inetd.
Accept any 3xx reply code in response to DATA command instead of
requiring 354. This change will match the wording to be
published in the updated SMTP specification from the DRUMS
group of the IETF.
Portability:
AIX 4.2.0.2 ships with a /usr/lib/libbind.a which should
not be used. It conflicts with the resolver
built into libc.a. "bind" has been removed
from the confLIBSEARCH BuildTools variable.
Users who have installed BIND 8.X will have
to add it back in their site.config.m4 file.
Problem noted by Ole Holm Nielsen of the
Technical University of Denmark.
CRAY TS 10.0.x from Sven Nielsen of San Diego
Supercomputer Center.
Improved LDAP version 3 integration based on input
from Kurt D. Zeilenga of the OpenLDAP Foundation,
John Beck of Sun Microsystems, and Booker Bense
of Stanford University.
Linux doesn't have a standard way to get the timezone
between different releases. Back out the
change in 8.9.2 and don't attempt to derive
a timezone. Problem reported by Igor S. Livshits
of the University of Illinois at Urbana-Champaign
and Michael Dickens of Tetranet Communications.
Reliant UNIX, the new name for SINIX, from Gert-Jan Looy
of Siemens/SNI.
SunOS 5.8 from John Beck of Sun Microsystems.
CONFIG: SCO UnixWare 2.1 and 7.0 need TZ to get the proper
timezone. Problem noted by Petr Lampa of Technical
University of Brno.
CONFIG: Handle <@bestmx-host:user@otherhost> addressing properly
when using FEATURE(bestmx_is_local). Patch from Neil W.
Rickert of Northern Illinois University.
CONFIG: Properly handle source routed and %-hack addresses on
hosts which the mailertable remaps to local:. Patch from
Neil W. Rickert of Northern Illinois University.
CONFIG: Internal fixup of mailertable local: map value. Patch from
Larry Parmelee of Cornell University.
CONFIG: Only add back +detail from host portion of mailer triplet
on local mailer triplets if it was originally +detail.
Patch from Neil W. Rickert of Northern Illinois University.
CONFIG: The bestmx_is_local checking done in check_rcpt would
cause later checks to fail. Patch from Paul J Murphy of
MIDS Europe.
New files:
BuildTools/OS/CRAYTS.10.0.x
BuildTools/OS/ReliantUNIX
BuildTools/OS/SunOS.5.8
8.9.2/8.9.2 98/12/30
SECURITY: Remove five second sleep on accepting daemon connections
due to an accept() failure. This sleep could be used
for a denial of service attack.
Do not silently ignore queue files with names which are too long.
Patch from Bryan Costales of InfoBeat, Inc.
Do not store failures closing an SMTP session in persistent
host status. Reported by Graeme Hewson of Oracle
Corporation UK.
Allow symbolic link forward files if they are in safe directories.
Problem noted by Andreas Schott of the Max Planck Society.
Missing columns in a text map could cause a segmentation fault.
Fix from David Lee of the University of Durham.
Note that for 8.9.X, PrivacyOptions=goaway also includes the
noetrn flag. This is scheduled to change in a future
version of sendmail. Problem noted by Theo Van Dinter of
Chrysalis Symbolic Designa and Alan Brown of Manawatu
Internet Services.
When trying to do host canonification in a Wildcard MX
environment, try an MX lookup of the hostname without the
default domain appended. Problem noted by Olaf Seibert of
Polderland Language & Speech Technology.
Reject SMTP RCPT To: commands with only comments (i.e.
'RCPT TO: (comment)'. Problem noted by Earle Ake of
Hassler Communication Systems Technology, Inc.
Handle any number of %s in the LDAP filter spec. Patch from
Per Hedeland of Ericsson.
Clear ldapx open timeouts even if the map open failed to prevent
a segmentation fault. Patch from Wayne Knowles of the
National Institute of Water & Atmospheric Research Ltd.
Do not syslog envelope clone messages when using address
verification (-bv). Problem noted by Kari Hurtta of the
Finnish Meteorological Institute.
Continue to perform queue runs while in daemon mode even if the
daemon is rejecting connections due to a disk full
condition. Problem noted by JR Oldroyd of TerraNet
Internet Services.
Include full filename on installation of the sendmail.hf file
in case the $HFDIR directory does not exist. Problem
noted by Josef Svitak of Montana State University.
Close all maps when exiting the process with one exception.
Berkeley DB can use internal shared memory locking for
its memory pool. Closing a map opened by another process
will interfere with the shared memory and locks of the
parent process leaving things in a bad state. For
Berkeley DB, only close the map if the current process
is also the one that opened the map, otherwise only close
the map file descriptor. Thanks to Yoseff Francus of
Collective Technologies for volunteering his system for
extended testing.
Avoid null pointer dereference on XDEBUG output for SMTP reply
failures. Problem noted by Carlos Canau of EUnet Portugal.
On mailq and hoststat listings being piped to another program, such
as more, if the pipe closes (i.e. the user quits more),
stop sending output and exit. Patch from Allan E Johannesen
of Worcester Polytechnic Institute.
In accordance with the documentation, LDAP map lookup failures
are now considered temporary failures instead of permanent
failures unless the -t flag is used in the map definition.
Problem noted by Booker Bense of Stanford University and
Eric C. Hagberg of Morgan Stanley.
Fix by one error reporting on long alias names. Problem noted by
H. Paul Hammann of the Missouri Research and Education
Network.
Fix DontBlameSendmail=IncludeFileInUnsafeDirPath behavior. Problem
noted by Barry S. Finkel of Argonne National Laboratory.
When automatically converting from 8 bit to quoted printable MIME,
be careful not to miss a multi-part boundary if that
boundary is preceded by a boundary-like line. Problem
noted by Andreas Raschle of Ansid Inc. Fix from
Kari Hurtta of the Finnish Meteorological Institute.
Avoid bogus reporting of "LMTP tobuf overflow" when the buffer
has enough space for the additional address. Problem
noted by Steve Cliffe of the University of Wollongong.
Fix DontBlameSendmail=FileDeliveryToSymlink behavior. Problem
noted by Alex Vorobiev of Swarthmore College.
If the check_compat ruleset resolves to the $#discard mailer,
discard the current recipient. Unlike check_relay,
check_mail, and check_rcpt, the entire envelope is not
discarded. Problem noted by RZ D. Rahlfs. Fix from
Claus Assmann of Christian-Albrechts-University of Kiel.
Avoid segmentation fault when reading ServiceSwitchFile files with
bogus formatting. Patch from Kari Hurtta of the Finnish
Meteorological Institute.
Support Berkeley DB 2.6.4 API change.
OP.ME: Pages weren't properly output on duplexed printers. Fix
from Matthew Black of CSU Long Beach.
Portability:
Apple Rhapsody from Wilfredo Sanchez of Apple Computer, Inc.
Avoid a clash with IRIX 6.2 getopt.h and the UserDatabase
option structure. Problem noted by Ashley M.
Kirchner of Photo Craft Laboratories, Inc.
Break out IP address to hostname translation for
reading network interface addresses into
class 'w'. Patch from John Kennedy of
Cal State University, Chico.
AIX 4.x use -qstrict with -O3 to prevent the optimized
from changing the semantics of the compiled
program. From Simon Travaglia of the
University of Waikato, New Zealand.
FreeBSD 2.2.2 and later support setusercontext(). From
Peter Wemm of DIALix.
FreeBSD 3.x fix from Peter Wemm of DIALix.
IRIX 5.x has a syslog buffer size of 512 bytes. From
Nao NINOMIYA of Utsunomiya University.
IRIX 6.5 64-bit Build support.
LDAP Version 3 support from John Beck and Ravi Iyer
of Sun Microsystems.
Linux does not implement seteuid() properly. From
John Kennedy of Cal State University, Chico.
Linux timezone type was set improperly. From Takeshi Itoh
of Bits Co., Ltd.
NCR MP-RAS 3.x needs -lresolv for confLIBS. From
Tom J. Moore of NCR.
NeXT 4.x correction to man page path. From J. P. McCann
of E I A.
System V Rel 5.x (a.k.a UnixWare7 w/o BSD-Compatibility Libs)
from Paul Gampe of the Asia Pacific Network
Information Center.
ULTRIX now requires an optimization limit of 970 from
Allan E Johannesen of Worcester Polytechnic
Institute.
Fix extern declaration for sm_dopr(). Fix from Henk
van Oers of Algemeen Nederlands Persbureau.
CONFIG: Catch @hostname,user@anotherhost.domain as relaying.
Problem noted by Mark Rogov of AirMedia, Inc. Fix from
Claus Assmann of Christian-Albrechts-University of Kiel.
CONFIG: Do not refer to http://maps.vix.com/ on RBL rejections as
there are multiple RBL's available and the MAPS RBL may
not be the one in use. Suggested by Alan Brown of
Manawatu Internet Services.
CONFIG: Properly strip route addresses (i.e. @host1:user@host2)
when stripping down a recipient address to check for
relaying. Patch from Claus Assmann of
Christian-Albrechts-University of Kiel and Neil W Rickert
of Northern Illinois University.
CONFIG: Allow the access database to override RBL lookups. Patch
from Claus Assmann of Christian-Albrechts-University of
Kiel.
CONFIG: UnixWare 7 support from Phillip P. Porch of The Porch
Dot Com.
CONFIG: Fixed check for deferred delivery mode warning. Patch
from Claus Assmann of Christian-Albrechts-University of
Kiel and Per Hedeland of Ericsson.
CONFIG: If a recipient using % addressing is used, e.g.
user%site@othersite, and othersite's MX records are now
checked for local hosts if FEATURE(relay_based_on_MX) is
used. Problem noted by Alexander Litvin of Lucky Net Ltd.
Patch from Alexander Litvin of Lucky Net Ltd and
Claus Assmann of Christian-Albrechts-University of Kiel.
MAIL.LOCAL: Prevent warning messages from appearing in the LMTP
stream. Do not allow more than one response per recipient.
MAIL.LOCAL: Handle routed addresses properly when using LMTP. Fix
from John Beck of Sun Microsystems.
MAIL.LOCAL: Properly check for CRLF when using LMTP. Fix from
John Beck of Sun Microsystems.
MAIL.LOCAL: Substitute MAILER-DAEMON for the LMTP empty sender in
the envelope From header.
MAIL.LOCAL: Accept underscores in hostnames in LMTP mode.
Problem noted by Glenn A. Malling of Syracuse University.
MAILSTATS: Document msgsrej and msgsdis fields in the man page.
Problem noted by Richard Wong of Princeton University.
MAKEMAP: Build group list so group writable files are allowed with
the -s flag. Problem noted by Curt Sampson of Internet
Portal Services, Inc.
PRALIASES: Automatically handle alias files created without the
NULL byte at the end of the key. Patch from John Beck of
Sun Microsystems.
PRALIASES: Support Berkeley DB 2.6.4 API change.
New Files:
BuildTools/OS/IRIX64.6.5
BuildTools/OS/UnixWare.5.i386
cf/cf/unixware7.m4
contrib/smcontrol.pl
src/control.c
8.9.1/8.9.1 98/07/02
If both an OS specific site configuration file and a generic
site.config.m4 file existed, only the latter was used
instead of both. Problem noted by Geir Johannessen of
the Norwegian University of Science and Technology.
Fix segmentation fault while converting 8 bit to 7 bit MIME
multipart messages by trying to write to an unopened
file descriptor. Fix from Kari Hurtta of the Finnish
Meteorological Institute.
Do not assume Message: and Text: headers indicate the end of
the header area when parsing MIME headers. Problem noted
by Kari Hurtta of the Finnish Meteorological Institute.
Setting the confMAN#SRC Build variable would only effect the
installation commands. The man pages would still be
built with .0 extensions. Problem noted by Bryan
Costales of InfoBeat, Inc.
Installation of manual pages didn't honor the DESTDIR environment
variable. Problem noted by Bryan Costales of InfoBeat, Inc.
If the check_relay ruleset resolved to the discard mailer, messages
were still delivered. Problem noted by Mirek Luc of NASK.
Mail delivery to files would fail with an Operating System Error
if sendmail was not running as root, i.e. RunAsUser was set.
Problem noted by Leonard N. Zubkoff of Dandelion Digital.
Prevent MinQueueAge from interfering from queued items created
in the future, i.e. if the system clock was set ahead
and then back. Problem noted by Michael Miller of the
University of Natal, Pietermaritzburg.
Do not advertise ETRN support in ESTMP EHLO reply if noetrn is
set in the PrivacyOptions option. Fix from Ted Rule of
Flextech TV.
Log invalid persistent host status file lines instead of
bouncing the message. Problem noted by David Lindes of
DaveLtd Enterprises.
Move creation of empty sendmail.st file from installation to
compilation. Installation may be done from a read-only
mount. Fix from Bryan Costales of InfoBeat, Inc. and Ric
Anderson of the Oasis Research Center, Inc.
Enforce the maximum number of User Database entries limit. Problem
noted by Gary Buchanan of Credence Systems Inc.
Allow dead.letter files in root's home directory. Problem noted
by Anna Ullman of Sun Microsystems.
Program deliveries in forward files could be marked unsafe if
any directory listed in the ForwardPath option did not
exist. Problem noted by Jorg Bielak of Coastal Web Online.
Do not trust the length of the address structure returned by
gethostbyname(). Problem noted by Chris Evans of Oxford
University.
If the SIZE= MAIL From: ESMTP parameter is too large, use the
5.3.4 DSN status code instead of 5.2.2. Similarly, for
non-local deliveries, if the message is larger than the
mailer maximum message size, use 5.3.4 instead of 5.2.3.
Suggested by Antony Bowesman of
Fujitsu/TeaWARE Mail/MIME System.
Portability:
Fix the check for an IP address reverse lookup for
use in $&{client_name} on 64 bit platforms.
From Gilles Gallot of Institut for Development
and Resources in Intensive Scientific computing.
BSD-OS uses .0 for man page extensions. From Jeff Polk
of BSDI.
DomainOS detection for Build. Also, version 10.4 and later
ship a unistd.h. Fixes from Takanobu Ishimura of
PICT Inc.
NeXT 4.x uses /usr/lib/man/cat for its man pages. From
J. P. McCann of E I A.
SCO 4.X and 5.X include NDBM support. From Vlado Potisk
of TEMPEST, Ltd.
CONFIG: Do not pass spoofed PTR results through resolver for
qualification. Problem noted by Michiel Boland of
Digital Valley Internet Professionals; fix from
Kari Hurtta of the Finnish Meteorological Institute.
CONFIG: Do not try to resolve non-DNS hostnames such as UUCP,
BITNET, and DECNET addresses for resolvable senders.
Problem noted by Alexander Litvin of Lucky Net Ltd.
CONFIG: Work around Sun's broken configuration which sends bounce
messages as coming from @@hostname instead of <>. LMTP
would not accept @@hostname.
OP.ME: Corrections to complex sendmail startup script from Rick
Troxel of the National Institutes of Health.
RMAIL: Do not install rmail by default, require 'make force-install'
as this rmail isn't the same as others. Suggested by
Kari Hurtta of the Finnish Meteorological Institute.
New Files:
BuildTools/OS/DomainOS.10.4
8.9.0/8.9.0 98/05/19
SECURITY: To prevent users from reading files not normally
readable, sendmail will no longer open forward, :include:,
class, ErrorHeader, or HelpFile files located in unsafe
(i.e. group or world writable) directory paths. Sites
which need the ability to override security can use the
DontBlameSendmail option. See the README file for more
information.
SECURITY: Problems can occur on poorly managed systems, specifically,
if maps or alias files are in world writable directories.
This fixes the change added to 8.8.6 to prevent links in these
world writable directories.
SECURITY: Make sure ServiceSwitchFile option file is not a link if
it is in a world writable directory.
SECURITY: Never pass a tty to a mailer -- if a mailer can get at the
tty it may be able to push bytes back to the senders input.
Unfortunately this breaks -v mode. Problem noted by
Wietse Venema of the Global Security Analysis Lab at
IBM T.J. Watson Research.
SECURITY: Empty group list if DontInitGroups is set to true to
prevent program deliveries from picking up extra group
privileges. Problem reported by Wolfgang Ley of DFN-CERT.
SECURITY: The default value for DefaultUser is now set to the uid and
gid of the first existing user mailnull, sendmail, or daemon
that has a non-zero uid. If none of these exist, sendmail
reverts back to the old behavior of using uid 1 and gid 1.
This is a security problem for Linux which has chosen that
uid and gid for user bin instead of daemon. If DefaultUser
is set in the configuration file, that value overrides this
default.
SECURITY: Since 8.8.7, the check for non-setuid binaries
interfered with setting an alternate group id for the
RunAsUser option. Problem noted by Randall Winchester of
the University of Maryland.
Add support for Berkeley DB 2.X. Based on patch from John Kennedy
of Cal State University, Chico.
Remove support for OLD_NEWDB (pre-1.5 version of Berkeley DB). Users
which previously defined OLD_NEWDB=1 must now upgrade to the
current version of Berkeley DB.
Added support for regular expressions using the new map class regex.
From Jan Krueger of Unix-AG of University of Hannover.
Support for BIND 8.1.1's hesiod for hesiod maps and hesiod
UserDatabases from Randall Winchester of the University
of Maryland.
Allow any shell for user shell on program deliveries on V1
configurations for backwards compatibility on machines which
do not have getusershell(). Fix from John Beck of Sun
Microsystems.
On operating systems which change the process title by reusing the
argument vector memory, sendmail could corrupt memory if the
last argument was either "-q" or "-d". Problem noted by
Frank Langbein of the University of Stuttgart.
Support Local Mail Transfer Protocol (LMTP) between sendmail and
mail.local on the F=z flag.
Macro-expand the contents of the ErrMsgFile. Previously this was
only done if you had magic characters (0x81) to indicate
macro expansion. Now $x will be expanded. This means that
real dollar signs have to be backslash escaped.
TCP Wrappers expects "unknown" in the hostname argument if the
reverse DNS lookup for the incoming connection fails.
Problem noted by Randy Grimshaw of Syracuse University and
Wietse Venema of the Global Security Analysis Lab at
IBM T.J. Watson Research.
DSN success bounces generated from an invocation of sendmail -t
would be sent to both the sender and MAILER-DAEMON.
Problem noted by Claus Assmann of
Christian-Albrechts-University of Kiel.
Avoid "Error 0" messages on delivery mailers which exit with a
valid exit value such as EX_NOPERM. Fix from Andreas Luik
of ISA Informationssysteme GmbH.
Tokenize $&x expansions on right hand side of rules. This eliminates
the need to use tricks like $(dequote "" $&{client_name} $)
to cause the ${client_name} macro to be properly tokenized.
Add the MaxRecipientsPerMessage option: this limits the number of
recipients that will be accepted in a single SMTP
transaction. After this number is reached, sendmail
starts returning "452 Too many recipients" to all RCPT
commands. This can be used to limit the number of recipients
per envelope (in particular, to discourage use of the server
for spamming). Note: a better approach is to restrict
relaying entirely.
Fixed pointer initialization for LDAP lmap struct, fixed -s option
to ldapx map and added timeout for ldap_open call to
avoid hanging sendmail in the event of hung LDAP servers.
Patch from Booker Bense of Stanford University.
Allow multiple -qI, -qR, or -qS queue run limiters. For example,
'-qRfoo -qRbar' would deliver mail to recipients with foo or
bar in their address. Patch from Allan E Johannesen of
Worcester Polytechnic Institute.
The bestmx map will now return a list of the MX servers for a host if
passed a column delimiter via the -z map flag. This can be
used to check if the server is an MX server for the recipient
of a message. This can be used to help prevent relaying.
Patch from Mitchell Blank Jr of Exec-PC.
Mark failures for the *file* mailer and return bounce messages to the
sender for those failures.
Prevent bogus syslog timestamps on errors in sendmail.cf by
preserving the TZ environment variable until TimeZoneSpec
has been determined. Problem noted by Ralf Hildebrandt of
Technical University of Braunschweig. Patch from Per Hedeland
of Ericsson.
Print test input in address test mode when input is not from the tty
when the -v flag is given (i.e. sendmail -bt -v) to make
output easier to decipher. Problem noted by Aidan Nichol
of Procter & Gamble.
The LDAP map -s flag was not properly parsed and the error message
given included the remainder of the arguments instead of
solely the argument in error. Problem noted by Aidan Nichol
of Procter & Gamble.
New DontBlameSendmail option. This option allows administrators to
bypass some of sendmail's file security checks at the expense
of system security. This should only be used if you are
absolutely sure you know the consequences. The available
DontBlameSendmail options are:
Safe
AssumeSafeChown
ClassFileInUnsafeDirPath
ErrorHeaderInUnsafeDirPath
GroupWritableDirPathSafe
GroupWritableForwardFileSafe
GroupWritableIncludeFileSafe
GroupWritableAliasFile
HelpFileinUnsafeDirPath
WorldWritableAliasFile
ForwardFileInGroupWritableDirPath
IncludeFileInGroupWritableDirPath
ForwardFileInUnsafeDirPath
IncludeFileInUnsafeDirPath
ForwardFileInUnsafeDirPathSafe
IncludeFileInUnsafeDirPathSafe
MapInUnsafeDirPath
LinkedAliasFileInWritableDir
LinkedClassFileInWritableDir
LinkedForwardFileInWritableDir
LinkedIncludeFileInWritableDir
LinkedMapInWritableDir
LinkedServiceSwitchFileInWritableDir
FileDeliveryToHardLink
FileDeliveryToSymLink
WriteMapToHardLink
WriteMapToSymLink
WriteStatsToHardLink
WriteStatsToSymLink
RunProgramInUnsafeDirPath
RunWritableProgram
New DontProbeInterfaces option to turn off the inclusion of all the
interface names in $=w on startup. In particular, if you
have lots of virtual interfaces, this option will speed up
startup. However, unless you make other arrangements, mail
sent to those addresses will be bounced.
Automatically create alias databases if they don't exist and
AutoRebuildAliases is set.
Add PrivacyOptions=noetrn flag to disable the SMTP ETRN command.
Suggested by Christophe Wolfhugel of the Institut Pasteur.
Add PrivacyOptions=noverb flag to disable the SMTP VERB command.
When determining the client host name ($&{client_name} macro), do
a forward (A) DNS lookup on the result of the PTR lookup
and compare results. If they differ or if the PTR lookup
fails, &{client_name} will contain the IP address
surrounded by square brackets (e.g. [127.0.0.1]).
New map flag: -Tx appends "x" to lookups that return temporary failure
(i.e, it is like -ax for the temporary failure case, in
contrast to the success case).
New syntax to do limited checking of header syntax. A config line
of the form:
HHeader: $>Ruleset
causes the indicated Ruleset to be invoked on the Header
when read. This ruleset works like the check_* rulesets --
that is, it can reject mail on the basis of the contents.
Limit the size of the HELO/EHLO parameter to prevent spammers
from hiding their connection information in Received:
headers.
When SingleThreadDelivery is active, deliveries to locked hosts
are skipped. This will cause the delivering process to
try the next MX host or queue the message if no other MX
hosts are available. Suggested by Alexander Litvin.
The [FILE] mailer type now delivers to the file specified in the
A= equate of the mailer definition instead of $u. It also
obeys all of the F= mailer flags such as the MIME
7/8 bit conversion flags. This is useful for defining
a mailer which delivers to the same file regardless of the
recipient (e.g. 'A=FILE /dev/null' to discard unwanted mail).
Do not assume the identity of a remote connection is root@localhost
if the remote connection closes the socket before the
remote identity can be queried.
Change semantics of the F=S mailer flag back to 8.7.5 behavior.
Some mailers, including procmail, require that the real
uid is left unchanged by sendmail. Problem noted by Per
Hedeland of Ericsson.
No longer is the src/obj*/Makefile selected from a large list -- it
is now generated using the information in BuildTools/OS/ --
some of the details are determined dynamically via
BuildTools/bin/configure.sh.
The other programs in the sendmail distribution -- mail.local,
mailstats, makemap, praliases, rmail, and smrsh -- now use
the new Build method which creates an operating system
specific Makefile using the information in BuildTools.
Make 4xx reply codes to the SMTP MAIL command be non-sticky (i.e.,
a failure on one message won't affect future messages to the
same host). This is necessary if the remote host sends
a 451 error if the domain of the sender does not resolve
as is common in anti-spam configurations. Problem noted
by Mitchell Blank Jr of Exec-PC.
New "discard" mailer for check_* rulesets and header checking
rulesets. If one of the above rulesets resolves to the
$#discard mailer, the commands will be accepted but the
message will be completely discarded after it is accepting.
This means that even if only one of the recipients
resolves to the $#discard mailer, none of the recipients
will receive the mail. Suggested by Brian Kantor.
All but the last cloned envelope of a split envelope were queued
instead of being delivered. Problem noted by John Caruso
of CNET: The Computer Network.
Fix deadlock situation in persistent host status file locking.
Syslog an error if a user forward file could not be read due to
an error. Patch from John Beck of Sun Microsystems.
Use the first name returned on machine lookups when canonifying a
hostname via NetInfo. Patch from Timm Wetzel of GWDG.
Clear the $&{client_addr}, $&{client_name}, and $&{client_port}
macros when delivering a bounce message to prevent
rejection by a check_compat ruleset which uses these macros.
Problem noted by Jens Hamisch of AgiX Internetservices GmbH.
If the check_relay ruleset resolves to the the error mailer, the
error in the $: portion of the resolved triplet is used
in the rejection message given to the remote machine.
Suggested by Scott Gifford of The Internet Ramp.
Set the $&{client_addr}, $&{client_name}, and $&{client_port} macros
before calling the check_relay ruleset. Suggested by Scott
Gifford of The Internet Ramp.
Sendmail would get a segmentation fault if a mailer exited with an
exit code of 79. Problem noted by Aaron Schrab of ExecPC
Internet. Fix from Christophe Wolfhugel of the Pasteur
Institute.
Separate snprintf/vsnprintf routines into separate file for use by
mail.local.
Allow multiple map lookups on right hand side, e.g.,
R$* $( host $1 $) $| $( passwd $1 $). Patch from
Christophe Wolfhugel of the Pasteur Institute.
Properly generate success DSN messages if requested for aliases
which have owner- aliases. Problem noted by Kari Hurtta
of the Finnish Meteorological Institute.
Properly display delayed-expansion macros ($&{macroname}) in
address test mode (-bt). Problem noted by Bryan Costales
of InfoBeat, Inc.
-qR could sometimes match names incorrectly. Problem noted by
Lutz Euler of Lavielle EDV Systemberatung GmbH & Co.
Include a magic number and version in the StatusFile for the
mailstats command.
Record the number of rejected and discarded messages in the
StatusFile for display by the mailstats command. Patch
from Randall Winchester of the University of Maryland.
IDENT returns where the OSTYPE field equals "OTHER" now list the
user portion as IDENT:username@site instead of
username@site to differentiate the two. Suggested by
Kari Hurtta of the Finnish Meteorological Institute.
Enforce timeout for LDAP queries. Patch from Per Hedeland of
Ericsson.
Change persistent host status filename substitution so '/' is
replaced by ':' instead of '|' to avoid clashes. Also
avoid clashes with hostnames with leading dots. Fix from
Mitchell Blank Jr. of Exec-PC.
If the system lock table is full, only attempt to create a new
queue entry five times before giving up. Previously, it
was attempted indefinitely which could cause the partition
to run out of inodes. Problem noted by Suzie Weigand of
Stratus Computer, Inc.
In verbose mode, warn if the sendmail.cf version is less than the
currently supported version.
Sorting for QueueSortOrder=host is now case insensitive. Patch
from Randall S. Winchester of the University of Maryland.
Properly quote a full name passed via the -F command line option,
the Full-Name: header, or the NAME environment variable if
it contains characters which must be quoted. Problem noted
by Kari Hurtta of the Finnish Meteorological Institute.
Avoid possible race condition that unlocked a mail job before
releasing the transcript file on systems that use flock(2).
In some cases, this might result in a "Transcript Unavailable"
message in error bounces.
Accept SMTP replies which contain only a reply code and no
accompanying text. Problem noted by Fernando Fraticelli of
Digital Equipment Corporation.
Portability:
AIX 4.1 uses int for SOCKADDR_LEN_T from Motonori Nakamura
of Kyoto University.
AIX 4.2 requires <userpw.h> before <usersec.h>. Patch from
Randall S. Winchester of the University of
Maryland.
AIX 4.3 from Valdis Kletnieks of Virginia Tech CNS.
CRAY T3E from Manu Mahonen of Center for Scientific Computing
in Finland.
Digital UNIX now uses statvfs for determining free
disk space. Patch from Randall S. Winchester of
the University of Maryland.
HP-UX 11.x from Richard Allen of Opin Kerfi HF and
Regis McEwen of Progress Software Corporation.
IRIX 64 bit fixes from Kari Hurtta of the Finnish
Meteorological Institute.
IRIX 6.2 configuration fix for mail.local from Michael Kyle
of CIC/Advanced Computing Laboratory.
IRIX 6.5 from Thomas H Jones II of SGI.
IRIX 6.X load average code from Bob Mende of SGI.
QNX from Glen McCready <glen@qnx.com>.
SCO 4.2 and 5.x use /usr/bin instead of /usr/ucb for links
to sendmail. Install with group bin instead of kmem
as kmem does not exist. From Guillermo Freige of
Gobernacion de la Pcia de Buenos Aires and Paul
Fischer of BTG, Inc.
SunOS 4.X does not include memmove(). Patch from
Per Hedeland of Ericsson.
SunOS 5.7 includes getloadavg() function for determining
load average. Patch from John Beck of Sun
Microsystems.
CONFIG: Increment version number of config file.
CONFIG: add DATABASE_MAP_TYPE to set the default type of database
map for the various maps. The default is hash. Patch from
Robert Harker of Harker Systems.
CONFIG: new confEBINDIR m4 variable for defining the executable
directory for certain programs.
CONFIG: new FEATURE(local_lmtp) to use the new LMTP support for
local mail delivery. By the default, /usr/libexec/mail.local
is used. This is expected to be the mail.local shipped
with 8.9 which is LMTP capable. The path is based on the
new confEBINDIR m4 variable.
CONFIG: Use confEBINDIR in determining path to smrsh for
FEATURE(smrsh). Note that this changes the default from
/usr/local/etc/smrsh to /usr/libexec/smrsh. To obtain the
old path for smrsh, use FEATURE(smrsh, /usr/local/etc/smrsh).
CONFIG: DOMAIN(generic) changes the default confFORWARD_PATH to
include $z/.forward.$w+$h and $z/.forward+$h which allow
the user to setup different .forward files for
user+detail addressing.
CONFIG: add confMAX_RCPTS_PER_MESSAGE, confDONT_PROBE_INTERFACES,
and confDONT_BLAME_SENDMAIL to set MaxRecipientsPerMessage,
DontProbeInterfaces, and DontBlameSendmail options.
CONFIG: by default do not allow relaying (that is, accepting mail
from outside your domain and sending it to another host
outside your domain).
CONFIG: new FEATURE(promiscuous_relay) to allow mail relaying from
any site to any site.
CONFIG: new FEATURE(relay_entire_domain) allows any host in your
domain as defined by the 'm' class ($=m) to relay.
CONFIG: new FEATURE(relay_based_on_MX) to allow relaying based on
the MX records of the host portion of an incoming recipient.
CONFIG: new FEATURE(access_db) which turns on the access database
feature. This database give you the ability to allow
or refuse to accept mail from specified domains for
administrative reasons. By default, names that are listed
as "OK" in the access db are domain names, not host names.
CONFIG: new confCR_FILE m4 variable for defining the name of the file
used for class 'R'. Defaults to /etc/mail/relay-domains.
CONFIG: new command RELAY_DOMAIN(domain) and RELAY_DOMAIN_FILE(file)
to add items to class 'R' ($=R) for hosts allowed to relay.
CONFIG: new FEATURE(relay_hosts_only) to change the behavior
of FEATURE(access_db) and class 'R' to lookup individual
host names only.
CONFIG: new FEATURE(loose_relay_check). Normally, if a recipient
using % addressing is used, e.g. user%site@othersite,
and othersite is in class 'R', the check_rcpt ruleset
will strip @othersite and recheck user@site for relaying.
This feature changes that behavior. It should not be
needed for most installations.
CONFIG: new FEATURE(relay_local_from) to allow relaying if the
domain portion of the mail sender is a local host. This
should only be used if absolutely necessary as it opens
a window for spammers. Patch from Randall S. Winchester of
the University of Maryland.
CONFIG: new FEATURE(blacklist_recipients) turns on the ability to
block incoming mail destined for certain recipient
usernames, hostnames, or addresses.
CONFIG: By default, MAIL FROM: commands in the SMTP session will be
refused if the host part of the argument to MAIL FROM: cannot
be located in the host name service (e.g., DNS).
CONFIG: new FEATURE(accept_unresolvable_domains) accepts
unresolvable hostnames in MAIL FROM: SMTP commands.
CONFIG: new FEATURE(accept_unqualified_senders) accepts
MAIL FROM: senders which do not include a domain.
CONFIG: new FEATURE(rbl) Turns on rejection of hosts found in the
Realtime Blackhole List. You can specify the RBL name
server to contact by specifying it as an optional argument.
The default is rbl.maps.vix.com. For details, see
http://maps.vix.com/rbl/.
CONFIG: Call Local_check_relay, Local_check_mail, and
Local_check_rcpt from check_relay, check_mail, and
check_rcpt. Users with local rulesets should place the
rules using LOCAL_RULESETS. If a Local_check_* ruleset
returns $#OK, the message is accepted. If the ruleset
returns a mailer, the appropriate action is taken, else
the return of the ruleset is ignored.
CONFIG: CYRUS_MAILER_FLAGS now includes the /:| mailer flags by
default to support file, :include:, and program deliveries.
CONFIG: Remove the default for confDEF_USER_ID so the binary can
pick the proper default value. See the SECURITY note
above for more information.
CONFIG: FEATURE(nodns) now warns the user that the feature is a
no-op. Patch from Kari Hurtta of the Finnish
Meteorological Institute.
CONFIG: OSTYPE(osf1) now sets DefaultUserID (confDEF_USER_ID) to
daemon since DEC's /bin/mail will drop the envelope
sender if run as mailnull. See the Digital UNIX section
of src/README for more information. Problem noted by
Kari Hurtta of the Finnish Meteorological Institute.
CONFIG: .cf files are now stored in the same directory with the
.mc files instead of in the obj directory.
CONFIG: New options confSINGLE_LINE_FROM_HEADER,
confALLOW_BOGUS_HELO, and confMUST_QUOTE_CHARS for
setting SingleLineFromHeader, AllowBogusHELO, and
MustQuoteChars respectively.
MAIL.LOCAL: support -l flag to run LMTP on stdin/stdout. This
SMTP-like protocol allows detailed reporting of delivery
status on a per-user basis. Code donated by John Myers of
CMU (now of Netscape).
MAIL.LOCAL: HP-UX support from Randall S. Winchester of the
University of Maryland. NOTE: mail.local is not
compatible with the stock HP-UX mail format. Be sure to
read mail.local/README.
MAIL.LOCAL: Prevent other mail delivery agents from stealing a
mailbox lock. Patch from Randall S. Winchester of the
University of Maryland.
MAIL.LOCAL: glibc portability from John Kennedy of Cal State
University, Chico.
MAIL.LOCAL: IRIX portability from Kari Hurtta of the Finnish
Meteorological Institute.
MAILSTATS: Display the number of rejected and discarded messages
in the StatusFile. Patch from Randall Winchester of the
University of Maryland.
MAKEMAP: New -s flag to ignore safety checks on database map files
such as linked files in world writable directories.
MAKEMAP: Add support for Berkeley DB 2.X. Remove OLD_NEWDB support.
PRALIASES: Add support for Berkeley DB 2.X.
PRALIASES: Do not automatically include NDBM support. Problem
noted by Ralf Hildebrandt of the Technical University of
Braunschweig.
RMAIL: Improve portability for other platforms. Patches from
Randall S. Winchester of the University of Maryland and
Kari Hurtta of the Finnish Meteorological Institute.
Changed Files:
src/Makefiles/Makefile.* files have been modified to use
the new build mechanism and are now BuildTools/OS/*.
src/makesendmail changed to symbolic link to src/Build.
New Files:
BuildTools/M4/header.m4
BuildTools/M4/depend/BSD.m4
BuildTools/M4/depend/CC-M.m4
BuildTools/M4/depend/NCR.m4
BuildTools/M4/depend/Solaris.m4
BuildTools/M4/depend/X11.m4
BuildTools/M4/depend/generic.m4
BuildTools/OS/AIX.4.2
BuildTools/OS/AIX.4.x
BuildTools/OS/CRAYT3E.2.0.x
BuildTools/OS/HP-UX.11.x
BuildTools/OS/IRIX.6.5
BuildTools/OS/NEXTSTEP.4.x
BuildTools/OS/NeXT.4.x
BuildTools/OS/NetBSD.8.3
BuildTools/OS/QNX
BuildTools/OS/SunOS.5.7
BuildTools/OS/dcosx.1.x.NILE
BuildTools/README
BuildTools/Site/README
BuildTools/bin/Build
BuildTools/bin/configure.sh
BuildTools/bin/find_m4.sh
BuildTools/bin/install.sh
Makefile
cf/cf/Build
cf/cf/generic-hpux10.cf
cf/feature/accept_unqualified_senders.m4
cf/feature/accept_unresolvable_domains.m4
cf/feature/access_db.m4
cf/feature/blacklist_recipients.m4
cf/feature/loose_relay_check.m4
cf/feature/local_lmtp.m4
cf/feature/promiscuous_relay.m4
cf/feature/rbl.m4
cf/feature/relay_based_on_MX.m4
cf/feature/relay_entire_domain.m4
cf/feature/relay_hosts_only.m4
cf/feature/relay_local_from.m4
cf/ostype/qnx.m4
contrib/doublebounce.pl
mail.local/Build
mail.local/Makefile.m4
mail.local/README
mailstats/Build
mailstats/Makefile.m4
makemap/Build
makemap/Makefile.m4
praliases/Build
praliases/Makefile.m4
rmail/Build
rmail/Makefile.m4
rmail/rmail.0
smrsh/Build
smrsh/Makefile.m4
src/Build
src/Makefile.m4
src/snprintf.c
Deleted Files:
cf/cf/Makefile (replaced by Makefile.dist)
mail.local/Makefile
mail.local/Makefile.dist
mailstats/Makefile
mailstats/Makefile.dist
makemap/Makefile
makemap/Makefile.dist
praliases/Makefile
praliases/Makefile.dist
rmail/Makefile
smrsh/Makefile
smrsh/Makefile.dist
src/Makefile
src/Makefiles/Makefile.AIX.4 (split into AIX.4.x and AIX.4.2)
src/Makefiles/Makefile.SMP_DC.OSx.NILE
(renamed BuildTools/OS/dcosx.1.x.NILE)
src/Makefiles/Makefile.Utah (obsolete platform)
Renamed Files:
READ_ME => README
cf/cf/Makefile.dist => Makefile
cf/cf/obj/* => cf/cf/*
src/READ_ME => src/README
8.8.8/8.8.8 97/10/24
If the check_relay ruleset failed, the relay= field was logged
incorrectly. Problem noted by Kari Hurtta of the Finnish
Meteorological Institute.
If /usr/tmp/dead.letter already existed, sendmail could not
add additional bounces to it. Problem noted by Thomas J.
Arseneault of SRI International.
If an SMTP mailer used a non-standard port number for the outgoing
connection, it would be displayed incorrectly in verbose mode.
Problem noted by John Kennedy of Cal State University, Chico.
Log the ETRN parameter specified by the client before altering them
to internal form. Suggested by Bob Kupiec of GES-Verio.
EXPN and VRFY SMTP commands on malformed addresses were logging as
User unknown with bogus delay= values. Change them to log
the same as compliant addresses. Problem noted by Kari E.
Hurtta of the Finnish Meteorological Institute.
Ignore the debug resolver option unless using sendmail debug trace
option for resolver. Problem noted by Greg Nichols of Wind
River Systems.
If SingleThreadDelivery was enabled and the remote server returned a
protocol error on the DATA command, the connection would be
closed but the persistent host status file would not be
unlocked so other sendmail processes could not deliver to
that host. Problem noted by Peter Wemm of DIALix.
If queueing up a message due to an expensive mailer, don't increment
the number of delivery attempts or set the last delivery
attempt time so the message will be delivered on the next
queue run regardless of MinQueueAge. Problem noted by
Brian J. Coan of the Institute for Global Communications.
Authentication warnings of "Processed from queue _directory_" and
"Processed by _username_ with -C _filename_" would be logged
with the incorrect timestamp. Problem noted by Kari E. Hurtta
of the Finnish Meteorological Institute.
Use a better heuristic for detecting GDBM.
Log null connections on dropped connections. Problem noted by
Jon Lewis of Florida Digital Turnpike.
If class dbm maps are rebuilt, sendmail will now detect this and
reopen the map. Previously, they could give stale
results during a single message processing (but would
recover when the next message was received). Fix from
Joe Pruett of Q7 Enterprises.
Do not log failures such as "User unknown" on -bv or SMTP VRFY
requests. Problem noted by Kari E. Hurtta of the
Finnish Meteorological Institute.
Do not send a bounce message back to the sender regarding bad
recipients if the SMTP connection is dropped before the
message is accepted. Problem noted by Kari E. Hurtta of the
Finnish Meteorological Institute.
Use "localhost" instead of "[UNIX: localhost]" when connecting to
sendmail via a UNIX pipe. This will allow rulesets using
$&{client_name} to process without sending the string through
dequote. Problem noted by Alan Barrett of Internet Africa.
A combination of deferred delivery mode, a double bounce situation,
and the inability to save a bounce message to
/var/tmp/dead.letter would cause sendmail to send a bounce
to postmaster but not remove the offending envelope from the
queue causing it to create a new bounce message each time the
queue was run. Problem noted by Brad Doctor of Net Daemons
Associates.
Remove newlines from hostname information returned via DNS. There are
no known security implications of newlines in hostnames as
sendmail filters newlines in all vital areas; however, this
could cause confusing error messages.
Starting with sendmail 8.8.6, mail sent with the '-t' option would be
rejected if any of the specified addresses were bad. This
behavior was modified to only reject the bad addresses and not
the entire message. Problem noted by Jozsef Hollosi of
SuperNet, Inc.
Use Timeout.fileopen when delivering mail to a file. Suggested by
Bryan Costales of InfoBeat, Inc.
Display the proper Final-Recipient on DSN messages for non-SMTP
mailers. Problem noted by Kari E. Hurtta of the
Finnish Meteorological Institute.
An error in calculating the available space in the list of addresses
for logging deliveries could cause an address to be silently
dropped.
Include the initial user environment if sendmail is restarted via
a HUP signal. This will give room for the process title.
Problem noted by Jon Lewis of Florida Digital Turnpike.
Mail could be delivered without a body if the machine does not
support flock locking and runs out of processes during
delivery. Fix from Chuck Lever of the University of Michigan.
Drop recipient address from 251 and 551 SMTP responses per RFC 821.
Problem noted by Kari E. Hurtta of the Finnish Meteorological
Institute.
Make sure non-rebuildable database maps are opened before the
rebuildable maps (i.e. alias files) in case the database maps
are needed for verifying the left hand side of the aliases.
Problem noted by Lloyd Parkes of Victoria University.
Make sure sender RFC822 source route addresses are alias expanded for
bounce messages. Problem noted by Juergen Georgi of
RUS University of Stuttgart.
Minor lint fixes.
Return a temporary error instead of a permanent error if an LDAP map
search returns an error. This will allow sequenced maps which
use other LDAP servers to be checked. Fix from Booker Bense
of Stanford University.
When automatically converting from quoted printable to 8bit text do
not pad bare linefeeds with a space. Problem noted by Theo
Nolte of the University of Technology Aachen, Germany.
Portability:
Non-standard C compilers may have had a problem compiling
conf.c due to a standard C external declaration of
setproctitle(). Problem noted by Ted Roberts of
Electronic Data Systems.
AUX: has a broken O_EXCL implementation. Reported by Jim
Jagielski of jaguNET Access Services.
BSD/OS: didn't compile if HASSETUSERCONTEXT was defined.
Digital UNIX: Digital UNIX (and possibly others) moves
loader environment variables into the loader memory
area. If one of these environment variables (such as
LD_LIBRARY_PATH) was the last environment variable,
an invalid memory address would be used by the process
title routine causing memory corruption. Problem
noted by Sam Hartman of Mesa Internet Systems.
GNU libc: uses an enum for _PC_CHOWN_RESTRICTED which caused
chownsafe() to always return 0 even if the OS does
not permit file giveaways. Problem noted by
Yasutaka Sumi of The University of Tokyo.
IRIX6: Syslog buffer size set to 512 bytes. Reported by
Gerald Rinske of Siemens Business Services VAS.
Linux: Pad process title with NULLs. Problem noted by
Jon Lewis of Florida Digital Turnpike.
SCO OpenServer 5.0: SIOCGIFCONF ioctl call returns an
incorrect value for the number of interfaces.
Problem noted by Chris Loelke of JetStream Internet
Services.
SINIX: Update for Makefile and syslog buffer size from Gerald
Rinske of Siemens Business Services VAS.
Solaris: Make sure HASGETUSERSHELL setting for SunOS is not
used on a Solaris machine. Problem noted by
Stephen Ma of Jtec Pty Limited.
CONFIG: SINIX: Update from Gerald Rinske of Siemens Business
Services VAS.
MAKEMAP: Use a better heuristic for detecting GDBM.
CONTRIB: expn.pl: Updated version from the author, David Muir Sharnoff.
OP.ME: Document the F=i mailer flag. Problem noted by Per Hedeland of
Ericsson.
8.8.7/8.8.7 97/08/03
If using Berkeley DB on systems without O_EXLOCK (open a file with
an exclusive lock already set -- i.e., almost all systems
except 4.4-BSD derived systems), the initial attempt at
rebuilding aliases file if the database didn't already
exist would fail. Patch from Raymund Will of LST Software
GmbH.
Bogus incoming SMTP commands would reset the SMTP conversation.
Problem noted by Fredrik J<>nsson of the Royal Institute
of Technology, Stockholm.
Since TCP Wrappers includes setenv(), unsetenv(), and putenv(),
some environments could give "multiple definitions" for these
routines during compilation. If using TCP Wrappers, assume
that these routines are included as though they were in the
C library. Patch from Robert La Ferla.
When a NEWDB database map was rebuilt at the same time it was being
used by a queue run, the maps could be left locked for the
duration of the queue run, causing other processes to hang.
Problem noted by Kendall Libby of Shore.NET.
In some cases, NoRecipientAction=add-bcc was being ignored, so the
mail was passed on without any recipient header. This could
cause problems downstream. Problem noted by Xander Jansen
of SURFnet ExpertiseCentrum.
Give error when GDBM is used with sendmail. GDBM's locking and
linking of the .dir and .pag files interferes with sendmail's
locking and security checks. Problems noted by Fyodor
Yarochkin of the Kyrgyz Republic FreeNet.
Don't fsync qf files if SuperSafe option is not set.
Avoid extra calls to gethostbyname for addresses for which a
gethostbyaddr found no value. Also, ignore any returns
from gethostbyaddr that look like a dotted quad.
If PTR lookup fails when looking up an SMTP peer, don't tag it as
"may be forged", since at the network level we pretty much
have to assume that the information is good.
In some cases, errors during an SMTP session could leave files
open or locked.
Better handling of missing file descriptors (0, 1, 2) on startup.
Better handling of non-setuid binaries -- avoids certain obnoxious
errors during testing.
Errors in file locking of NEWDB maps had the incorrect file name
printed in the error message.
If the AllowBogusHELO option were set and an EHLO with a bad or
missing parameter were issued, the EHLO behaved like a HELO.
Load limiting never kicked in for incoming SMTP transactions if the
DeliveryMode=background and any recipient was an alias or
had a .forward file. From Nik Conwell of Boston University.
On some non-Posix systems, the decision of whether chown(2) permits
file giveaway was undefined. From Tetsu Ushijima of the
Tokyo Institute of Technology.
Fix race condition that could cause the body of a message to be
lost (so only the header was delivered). This only occurs
on systems that do not use flock(2), and only when a queue
runner runs during a critical section in another message
delivery. Based on a patch from Steve Schweinhart of
Results Computing.
If a qf file was found in a mail queue directory that had a problem
(wrong ownership, bad format, etc.) and the file name was
exactly MAXQFNAME bytes long, then instead of being tried
once, it would be tried on every queue run. Problem noted
by Bryan Costales of Mercury Mail.
If the system supports an st_gen field in the status structure,
include it when reporting that a file has changed after open.
This adds a new compile flag, HAS_ST_GEN (0/1 option).
This out to be checked as well as reported, since it is
theoretically possible for an attacker to remove a file after
it is opened and replace it with another file that has the
same i-number, but some filesystems (notably AFS) return
garbage in this field, and hence always look like the file
has changed. As a practical matter this is not a security
problem, since the files can be neither hard nor soft links,
and on no filesystem (that I am aware of) is it possible to
have two files on the same filesystem with the same i-number
simultaneously.
Delete the root Makefile from the distribution -- it is only for
use internally, and does not work at customer sites.
Fix botch that caused the second MAIL FROM: command in a single
transaction to clear the entire transaction. Problem
noted by John Kennedy of Cal State University, Chico.
Work properly on machines that have _PATH_VARTMP defined without
a trailing slash. (And a pox on vendors that decide to
ignore the established conventions!) Problem noted by
Gregory Neil Shapiro of WPI.
Internal changes to make it easier to add another protocol family
(intended for IPv6). Patches are from John Kennedy of
CSU Chico.
In certain cases, 7->8 bit MIME decoding of Base64 text could leave
an extra space at the beginning of some lines. Problem
noted by Charles Karney of Princeton University; fix based
on a patch from Christophe Wolfhugel.
Portability:
Allow _PATH_VENDOR_CF to be set in Makefile for consistency
with the _Sendmail_ book, 2nd edition. Note that
the book is actually wrong: _PATH_SENDMAILCF should
be used instead.
AIX 3.x: Include <sys/select.h>. Patch from Gene Rackow
of Argonne National Laboratory.
OpenBSD from from Paul DuBois of the University of Wisconsin.
RISC/os 4.0 from Paul DuBois of the University of Wisconsin.
SunOS: Include <memory.h> to fix warning from util.c. From
James Aldridge of EUnet Ltd.
Solaris: Change STDIR (location of status file) to /etc/mail
in Makefiles.
Linux, Dynix, UNICOS: Remove -DNDBM and -lgdbm from
Makefiles. Use NEWDB on Linux instead.
NCR MP-RAS 3.x with STREAMware TCP/IP: SIOCGIFNUM ioctl
exists but behaves differently than other OSes.
Add SIOCGIFNUM_IS_BROKEN compile flag to get
around the problem. Problem noted by Tom Moore of
NCR Corp.
HP-UX 9.x: fix compile warnings for old select API. Problem
noted by Tom Smith of Digital Equipment Corp.
UnixWare 2.x: compile warnings on offsetof macro. Problem
noted by Tom Good of the Community Access Information
Resource Network
SCO 4.2: compile problems caused by a change in the type of
the "length" parameters passed to accept, getpeername,
getsockname, and getsockopt. Adds new compile flags
SOCKADDR_SIZE_T and SOCKOPT_SIZE_T. Problem reported
by Tom Good of St. Vincent's North Richmond Community
Mental Health Center Residential Services.
AIX 4: Use size_t for SOCKADDR_SIZE_T and SOCKOPT_SIZE_T.
Suggested by Brett Hogden of Rochester Gas & Electric
Corp.
Linux: avoid compile problem for versions of <setjmp.h> that
#define both setjmp and longjmp. Problem pointed out
by J.R. Oldroyd of TerraNet.
CONFIG: SCO UnixWare 2.1: Support for OSTYPE(sco-uw-2.1)
from Christopher Durham of SCO.
CONFIG: NEXTSTEP: define confCW_FILE to
/etc/sendmail/sendmail.cw to match the usual
configuration. Patch from Dennis Glatting of
PlainTalk.
CONFIG: MAILER(fax) called a program that hasn't existed for a long
time. Convert to use the HylaFAX 4.0 conventions. Suggested
by Harry Styron.
CONFIG: Improve sample anti-spam rulesets in cf/cf/knecht.mc. These
are the rulesets in use on sendmail.org.
MAKEMAP: give error on GDBM files.
MAIL.LOCAL: Make error messages a bit more explicit, for example,
telling more details on what actually changed when "file
changed after open".
CONTRIB: etrn.pl: Ignore comments in Fw files. Support multiple Fw
files.
CONTRIB: passwd-to-alias.pl: Handle 8 bit characters and '-'.
NEW FILES:
src/Makefiles/Makefile.OpenBSD
src/Makefiles/Makefile.RISCos.4_0
test/t_exclopen.c
cf/ostype/sco-uw-2.1.m4
DELETED FILES:
Makefile
8.8.6/8.8.6 97/06/14
*************************************************************
* The extensive assistance of Gregory Neil Shapiro of WPI *
* in preparing this release is gratefully appreciated. *
* Sun Microsystems has also provided resources toward *
* continued sendmail development. *
*************************************************************
SECURITY: A few systems allow an open with the O_EXCL|O_CREAT open
mode bits set to create a file that is a symbolic link that
points nowhere. This makes it possible to create a root
owned file in an arbitrary directory by inserting the symlink
into a writable directory after the initial lstat(2) check
determined that the file did not exist. The only verified
example of a system having these odd semantics for O_EXCL
and symbolic links was HP-UX prior to version 9.07. Most
systems do not have the problem, since a exclusive create
of a file disallows symbolic links. Systems that have been
verified to NOT have the problem include AIX 3.x, *BSD,
DEC OSF/1, HP-UX 9.07 and higher, Linux, SunOS, Solaris,
and Ultrix. This is a potential exposure on systems that
have this bug and which do not have a MAILER-DAEMON alias
pointing at a legitimate account, since this will cause old
mail to be dropped in /var/tmp/dead.letter.
SECURITY: Problems can occur on poorly managed systems, specifically,
if maps or alias files are in world writable directories.
If your system has alias maps in writable directories, it
is potentially possible for an attacker to replace the .db
(or .dir and .pag) files by symbolic links pointing at
another database; this can be used either to expose
information (e.g., by pointing an alias file at /etc/spwd.db
and probing for accounts), or as a denial-of-service attack
(by trashing the password database). The fix disallows
symbolic links entirely when rebuilding alias files or on
maps that are in writable directories, and always warns on
writable directories; 8.9 will probably consider writable
directories to be fatal errors. This does not represent an
exposure on systems that have alias files in unwritable
system directories.
SECURITY: disallow .forward or :include: files that are links (hard
or soft) if the parent directory (or any directory in the
path) is writable by anyone other than the owner. This is
similar to the previous case for user files. This change
should not affect most systems, but is necessary to prevent
an attacker who can write the directory from pointing such
files at other files that are readable only by the owner.
SECURITY: Tighten safechown rules: many systems will say that they
have a safe (restricted to root) chown even on files that
are mounted from another system that allows owners to give
away files. The new rules are very strict, trusting file
ownership only in those few cases where the system has
been verified to be at least as paranoid as necessary.
However, it is possible to relax the rules to partially
trust the ownership if the directory path is not world or
group writable. This might allow someone who has a legitimate
:include: file (referenced directly from /etc/aliases) to
become another non-root user if the :include: file is in a
non-writable directory on an NFS-mounted filesystem where
the local system says that giveaway is denied but it is
actually permitted. I believe this to be a very small set
of cases. If in doubt, do not point :include: aliases at
NFS-mounted filesystems.
SECURITY: When setting a numeric group id using the RunAsUser option
(e.g., "O RunAsUser=10:20", the group id would not be set.
Implicit group ids (e.g., "O RunAsUser=mailnull") or alpha
group ids (e.g., "O RunAsUser=mailuser:mailgrp") worked fine.
The user id was still set properly. Problem noted by Uli
Pralle of the Technical University of Berlin.
Save the initial gid set for use when checking for if the
PrivacyOptions=restrictmailq option is set. Problem reported
by Wolfgang Ley of DFN-CERT.
Make 55x reply codes to the SMTP DATA-"." be non-sticky (i.e., a
failure on one message won't affect future messages to the
same host).
IP source route printing had an "off by one" error that would
affect any options that came after the route option. Patch
from Theo de Raadt.
The "Message is too large" error didn't successfully bounce the error
back to the sender. Problem reported by Stephen More of
PSI; patch from Gregory Neil Shapiro of WPI.
Change SMTP status code 553 to map into Extended code 5.1.0 (instead
of 5.1.3); it apparently gets used in multiple ways.
Suggested by John Myers of Portola Communications.
Fix possible extra null byte generated during collection if errors
occur at the beginning of the stream. Patch contributed by
Andrey A. Chernov and Gregory Neil Shapiro.
Code changes to avoid possible reentrant call of malloc/free within
a signal handler. Problem noted by John Beck of Sun
Microsystems.
Move map initialization to be earlier so that check_relay ruleset
will have the latest version of the map data. Problem noted
by Paul Forgey of Metainfo; patch from Gregory Neil Shapiro.
If there are fatal errors during the collection phase (e.g., message
too large) don't send the bogus message.
Avoid "cannot open xfAAA00000" messages when sending to aliases that
have errors and have owner- aliases. Problem noted by Michael
Barber of MTU; fix from Gregory Neil Shapiro of WPI.
Avoid null pointer dereference on illegal Boundary= parameters in
multipart/mixed Content-Type: header. Problem noted by
Richard Muirden of RMIT University.
Always print error messages during newaliases (-bi) even if the
ErrorMode is not set to "print". Fix from Gregory Neil
Shapiro.
Test mode could core dump if you did a /map lookup in an optional map
that could not be opened. Based on a fix from John Beck of
Sun Microsystems.
If DNS is misconfigured so that the last MX record tried points to
a host that does not have an A record, but other MX records
pointed to something reasonable, don't bounce the message
with a "host unknown" error. Note that this should really
be fixed in the zone file for the domain. Problem noted by
Joe Rhett of Navigist, Inc.
If a map fails (e.g., DNS times out) on all recipient addresses, mark
the message as having been tried; otherwise the next queue
run will not realize that this is a second attempt and will
retry immediately. Problem noted by Bryan Costales of
Mercury Mail.
If the clock is set backwards, and a MinQueueAge is set, no jobs
will be run until the later setting of the clock is reached.
"Problem" (I use the term loosely) noted by Eric Hagberg of
Morgan Stanley.
If the load average rises above the cutoff threshold (above which
sendmail will not process the queue at all) during a queue
run, abort the queue run immediately. Problem noted by
Bryan Costales of Mercury Mail.
The variable queue processing algorithm (based on the message size,
number of recipients, message precedence, and job age) was
non-functional -- either the entire queue was processed or
none of the queue was processed. The updated algorithm
does no queue run if a single recipient zero size job will
not be run.
If there is a fatal ("panic") message that will cause sendmail to
die immediately, never hold the error message for future
printing.
Force ErrorMode=print in -bt mode so that all errors are printed
regardless of the setting of the ErrorMode option in the
configuration file. Patch from Gregory Neil Shapiro.
New compile flag HASSTRERROR says that this OS has the strerror(3)
routine available in one of the libraries. Use it in conf.h.
The -m (match only) flag now works on host class maps.
If class hash or btree maps are rebuilt, sendmail will now detect
this and reopen the map. Previously, they could give
erroneous results during a single message processing
(but would recover when the next message was received).
Don't delete zero length queue files when doing queue runs until the
files are at least ten minutes old. This avoids a potential
race condition: the creator creates the qf file, getting back
a file descriptor. The queue runner locks it and deletes it
because it is zero length. The creator then writes the
descriptor that is now for a disconnected file, and the
job goes away. Based on a suggestion by Bryan Costales.
When determining the "validated" host name ($_ macro), do a forward
(A) DNS lookup on the result of the PTR lookup and compare
results. If they differ or if the PTR lookup fails, tag the
address as "may be forged".
Log null connections (i.e., hosts that connect but do not do any
substantive activity on the connection before disconnecting;
"substantive" is defined to be MAIL, EXPN, VRFY, or ETRN.
Always permit "writes" to /dev/null regardless of the link count.
This is safe because /dev/null is special cased, and no open
or write is ever actually attempted. Patch from Villy Kruse
of TwinCom.
If a message cannot be sent because of a 552 (exceeded storage
allocation) response to the MAIL FROM:<>, and a SIZE= parameter
was given, don't return the body in the bounce, since there
is a very good chance that the message will double-bounce.
Fix possible line truncation if a quoted-printable had an =00 escape
in the body. Problem noted by Charles Karney of the Princeton
Plasma Physics Laboratory.
Notify flags (e.g., -NSUCCESS) were lost on user+detail addresses.
Problem noted by Kari Hurtta of the Finnish Meteorological
Institute.
The MaxDaemonChildren option wasn't applying to queue runs as
documented. Note that this increases the potential denial
of service problems with this option: an attacker can
connect many times, and thereby lock out queue runs as well
as incoming connections. If you use this option, you should
run the "sendmail -bd" and "sendmail -q30m" jobs separately
to avoid this attack. Failure to limit noted by Matthew
Dillon of BEST Internet Communications.
Always give a message in newaliases if alias files cannot be
opened instead of failing silently. Suggested by Gregory
Neil Shapiro. This change makes the code match the O'Reilly
book (2nd edition).
Some older versions of the resolver could return with h_errno == -1
if no name server could be reached, causing mail to bounce
instead of queueing. Treat this like TRY_AGAIN. Fix from
John Beck of SunSoft.
If a :include: file is owned by a user that does not have an entry
in the passwd file, sendmail could dereference a null pointer.
Problem noted by Satish Mynam of Sun Microsystems.
Take precautions to make sure that the SMTP protocol cannot get out
of sync if (for example) an alias file cannot be opened.
Fix a possible race condition that can cause a SIGALRM to come in
immediately after a SIGHUP, causing the new sendmail to die.
Avoid possible hang on SVr3 systems when doing child reaping. Patch
from Villy Kruse of TwinCom.
Ignore improperly formatted SMTP reply codes. Previously these were
partially processed, which could cause confusing error
returns.
Fix possible bogus pointer dereference when doing ldapx map lookups
on some architectures.
Portability:
A/UX: from Jim Jagielski of NASA/GSFC.
glibc: SOCK_STREAM was changed from a #define to an enum,
thus breaking #ifdef SOCK_STREAM. Only option seems
to be to assume SOCK_STREAM if __GNU_LIBRARY__ is
defined. Problem reported by A Sun of the University
of Washington.
Solaris: use SIOCGIFNUM to get the number of interfaces on
the system rather than guessing at compile time.
Patch contributed by John Beck of Sun Microsystems.
Intel Paragon: from Wendy Lin of Purdue University.
GNU Hurd: from Miles Bader of the GNU project.
RISC/os 4.50 from Harlan Stenn of PFCS Corporation.
ISC Unix: wait never returns if SIGCLD signals are blocked.
Unfortunately releasing them opens a race condition,
but there appears to be no fix for this. Patch from
Gregory Neil Shapiro.
BIND 8.1 for IPv6 compatibility from John Kennedy.
Solaris: a bug in strcasecmp caused characters with the
high order bit set to apparently randomly match
letters -- for example, $| (0233) matches "i" and "I".
Problem noted by John Gregson of the University of
Cambridge.
IRIX 6.x: make Makefile.IRIX.6.2 apply to all 6.x. From
Kari Hurtta.
IRIX 6.x: Create Makefiles for systems that claim to be
IRIX64 but are 6.2 or higher (so use the regular
IRIX Makefile).
IRIX 6.x: Fix load average computation on 64 bit kernels.
Problem noted by Eric Hagberg of Morgan Stanley.
CONFIG: Some canonification was still done for UUCP-like addresses
even if FEATURE(nocanonify) was set. Problem pointed out by
Brian Candler.
CONFIG: In some cases UUCP mailers wouldn't properly recognize all
local names as local. Problem noted by Jeff Polk of BSDI;
fix provided by Gregory Neil Shapiro.
CONFIG: The "local:user" syntax entries in mailertables and other
"mailer:user" syntax locations returned an incorrect value
for the $h macro. Problem noted by Gregory Neil Shapiro.
CONFIG: Retain "+detail" information when forwarding mail to a
MAIL_HUB, LUSER_RELAY, or LOCAL_RELAY. Patch from Philip
Guenther of Gustavus Adolphus College.
CONFIG: Make sure user+detail works for FEATURE(virtusertable);
rules are the same as for aliasing. Based on a patch from
Gregory Neil Shapiro.
CONFIG: Break up parsing rules into several pieces; this should
have no functional change in this release, but makes it
possible to have better anti-spam rulesets in the future.
CONFIG: Disallow double dots in host names to avoid having the
HostStatusDirectory store status under the wrong name.
In some cases this can be used as a denial-of-service attack.
Problem noted by Ron Jarrell of Virginia Tech, patch from
Gregory Neil Shapiro.
CONFIG: Don't use F=m (multiple recipients per invocation) for
MAILER(procmail), but do pass F=Pn9 (include Return-Path:,
don't include From_, and convert to 8-bit). Suggestions
from Kimmo Suominen and Roderick Schertler.
CONFIG: Domains under $=M (specified with MASQUERADE_DOMAIN) where
being masqueraded as though FEATURE(masquerade_entire_domain)
was specified, even when it wasn't.
MAIL.LOCAL: Solaris 2.6 has snprintf. From John Beck of SunSoft.
MAIL.LOCAL: SECURITY: check to make sure that an attacker doesn't
"slip in" a symbolic link between the lstat(2) call and the
exclusive open. This is only a problem on System V derived
systems that allow an exclusive create on files that are
symbolic links pointing nowhere.
MAIL.LOCAL: If the final mailbox close() failed, the user id was
not reset back to root, which on some systems would cause
later mailboxes to fail. Also, any partial message would
not be truncated, which could result in repeated deliveries.
Problem noted by Bruce Evans via Peter Wemm (FreeBSD
developers).
MAKEMAP: Handle cases where O_EXLOCK is #defined to be 0. A similar
change to the sendmail map code was made in 8.8.3. Problem
noted by Gregory Neil Shapiro.
MAKEMAP: Give warnings on file problems such as map files that are
symbolic links; although makemap is not setuid root, it is
often run as root and hence has the potential for the same
sorts of problems as alias rebuilds.
MAKEMAP: Change compilation so that it will link properly on
NEXTSTEP.
CONTRIB: etrn.pl: search for Cw as well as Fw lines in sendmail.cf.
Accept an optional list of arguments following the server
name for the ETRN arguments to use (instead of $=w). Other
miscellaneous bug fixes. From Christian von Roques via
John Beck of Sun Microsystems.
CONTRIB: Add passwd-to-alias.pl, contributed by Kari Hurtta. This
Perl script converts GECOS information in the /etc/passwd
file into aliases, allowing for faster access to full name
lookups; it is also clever about adding aliases (to root)
for system accounts.
NEW FILES:
src/safefile.c
cf/ostype/gnuhurd.m4
cf/ostype/irix6.m4
contrib/passwd-to-alias.pl
src/Makefiles/Makefile.IRIX64.6.1
src/Makefiles/Makefile.IRIX64.6.x
RENAMED FILES:
src/Makefiles/Makefile.IRIX.6.2 => Makefile.IRIX.6.x
src/Makefiles/Makefile.IRIX64 => Makefile.IRIX64.6.0
8.8.5/8.8.5 97/01/21
SECURITY: Clear out group list during startup. Without this, sendmail
will continue to run with the group permissions of the caller,
even if RunAsUser is specified.
SECURITY: Make purgestat (-bH) be root-only. This is not in response
to any known attack, but it's best to be conservative.
Suggested by Peter Wemm of DIALix.
SECURITY: Fix buffer overrun problem in MIME code that has possible
security implications. Patch from Alex Garthwaite of the
University of Pennsylvania.
Use of a -f flag with a phrase attached (e.g., "-f 'Full Name <addr>'")
would truncate the address after "Full". Although the -f
syntax is incorrect (since it is in the envelope, it
shouldn't have comments and full names), the failure mode
was unnecessarily awful.
Fix a possible null pointer dereference when converting 8-bit data
to a 7-bit format. Problem noted by Jim Hutchins of
Sandia National Labs and David James of British Telecom.
Clear out stale state that affected F=9 on SMTP mailers in queue
runs. Although this really shouldn't be used (F=9 is for
final delivery only, and using it on an SMTP mailer makes
it possible for a message to be converted from 8->7->8->7
bits several times), it shouldn't have failed with a syserr.
Problem noted by Eric Hagberg of Morgan Stanley.
_Really_ fix the multiple :maildrop code in the user database
module. Patch from Roy Mongiovi of Georgia Tech.
Let F lines in the configuration file actually read root-only
files if the configuration file is safe. Based on a
patch from Keith Reynolds of SCO.
ETRN followed by QUIT would hold the connection open until the queue
run completed. Problem noted by Truck Lewis of TDK
Semiconductor Corp.
It turns out that despite the documentation, the TCP wrappers library
does _not_ log rejected connections. Do the logging ourselves.
Problem noted by Fletcher Mattox of the University of Texas
at Austin.
If sendmail finds a qf file in its queue directory that is an unknown
version (e.g., when backing out to an old version), the
error is reported on every queue run. Change it to only
give the error once (and rename the qf => Qf). Patch from
William A. Gianopoulos of Raytheon Company.
Start a new session when doing background delivery; currently it
ignored signals but didn't start a new signal, that caused
some problems if a background process tried to send mail
under certain circumstances. Problem noted by Eric Hagberg
of Morgan Stanley; fix from Kari Hurtta.
Simplify test for skipping a queue run to just check if the current
load average is >= the queueing load average. Previously
the check factored in some other parameters that caused it
to essentially never skip the queue run. Patch from Bryan
Costales.
If the SMTP server is running in "nullserver" mode (that is, it is
rejecting all commands), start sleeping after MAXBADCOMMAND
(25) commands; this helps prevent a bad guy from putting
you into a tight loop as a denial-of-service attack. Based
on an e-mail conversation with Brad Knowles of AOL.
Slow down when too many "light weight" commands have been issued;
this helps prevent a class of denial-of-service attacks.
The current values and defaults are:
MAXNOOPCOMMANDS 20 NOOP, VERB, ONEX, XUSR
MAXHELOCOMMANDS 3 HELO, EHLO
MAXVRFYCOMMANDS 6 VRFY, EXPN
MAXETRNCOMMANDS 8 ETRN
These will probably be configurable in a future release.
On systems that have uid_t typedefed to be an unsigned short, programs
that had the F=S flag and no U= equate would be invoked with
the real uid set to 65535 rather than being left unchanged.
In some cases, NOTIFY=NEVER was not being honored. Problem noted
by Steve Hubert of the University of Washington, Seattle.
Mail that was Quoted-Printable encoded and had a soft line break on
the last line (i.e., an incomplete continuation) had the last
line dropped. Since this appears to be illegal it isn't
clear what to do with it, but flushing the last line seems
to be a better "fail soft" approach. Based on a patch from
Eric Hagberg.
If AllowBogusHELO and PrivacyOptions=needmailhelo are both set, a
bogus HELO command still causes the "Polite people say HELO
first" error message. Problem pointed out by Chris Thomas
of UCLA; patch from John Beck of SunSoft.
Handle "sendmail -bp -qSfoobar" properly if restrictqrun is set
in PrivacyOptions. The -q shouldn't turn this command off.
Problem noted by Murray Kucherawy of Pacific Bell Internet;
based on a patch from Gregory Neil Shapiro of WPI.
Don't consider SMTP reply codes 452 or 552 (exceeded storage allocation)
in a DATA transaction to be sticky; these can occur because
a message is too large, and smaller messages should still go
through. Problem noted by Matt Dillon of Best Internet
Communications.
In some cases bounces were saved in /var/tmp/dead.letter even if they
had been successfully delivered to the envelope sender.
Problem noted Eric Hagberg of Morgan Stanley; solution from
Gregory Neil Shapiro of WPI.
Give better diagnostics on long alias lines. Based on code contributed
by Patrick Gosling of the University of Cambridge.
Increase the number of virtual interfaces that will be probed for
alternate names. Problem noted by Amy Rich of Shore.Net.
PORTABILITY:
UXP/DS V20L10 for Fujitsu DS/90: Makefile patches from
Toshiaki Nomura of Fujitsu Limited.
SunOS with LDAP support: compile problems with struct timeval.
Patch from Nick Cuccia of TCSI Corporation.
SCO: from Keith Reynolds of SCO.
Solaris: kstat load average computation wasn't being used.
Fixes from Michael Ju. Tokarev of Telecom Service, JSC
(Moscow).
OpenBSD: from Jason Downs of teeny.org.
Altos System V: from Tim Rice.
Solaris 2.5: from Alan Perry of SunSoft.
Solaris 2.6: from John Beck of SunSoft.
Harris Nighthawk PowerUX (mh6000 box): from Bob Miorelli
of Pratt & Whitney <miorelli@pweh.com>.
CONFIG: It seems that I hadn't gotten the Received: line syntax
_just_right_ yet. Tweak it again. I'll omit the names
of the "contributors" (quantity two) in this one case.
As of now, NO MORE DISCUSSION about the syntax of the
Received: line.
CONFIG: Although FEATURE(nullclient) uses EXPOSED_USER (class $=E),
it never inserts that class into the output file. Fix it
so it will honor EXPOSED_USER but will _not_ include root
automatically in this class. Problem noted by Ronan KERYELL
of Centre de Recherche en Informatique de l'<27>cole Nationale
Sup<75>rieure des Mines de Paris (CRI-ENSMP).
CONFIG: Clean up handling of "local:" syntax in relay specifications
such as LUSER_RELAY. This change permits the following
syntaxes: ``local:'' will send to the same user on the
local machine (e.g., in a mailertable entry for "host",
``local:'' will cause an address addressed to user@host to
go to user on the local machone). ``local:user'' will send
to the named user on the local machine. ``local:user@host''
is equivalent to ``local:user'' (the host is ignored). In
all cases, the original user@host is passed in $@ (i.e., the
detail information). Inspired by a report from Michael Fuhr.
CONFIG: Strip quotes from the first word of an "error:" host
indication. This lets you set (for example) the LUSER_RELAY
to be ``error:\"5.1.1\" Your Message Here''. Note the use
of the \" so that the resulting string is properly quoted.
Problem noted by Gregory Neil Shapiro of WPI.
OP.ME: documentation was inconsistent about whether sendmail did a
NOOP or a RSET to probe the connection (it does a RSET).
Inconsistency noted by Deeran Peethamparam.
OP.ME: insert additional blank pages so it will print properly on
a duplex printer. From Matthew Black of Cal State University,
Long Beach.
8.8.4/8.8.4 96/12/02
SECURITY: under some circumstances, an attacker could get additional
permissions by hard linking to files that were group
writable by the attacker. The solution is to disallow any
files that have hard links -- this will affect .forward,
:include:, and output files. Problem noted by Terry
Kyriacopoulos of Interlog Internet Services. As a
workaround, set UnsafeGroupWrites -- always a good idea.
SECURITY: the TryNullMXList (w) option should not be safe -- if it
is, it is possible to do a denial-of-service attack on
MX hosts that rely on the use of the null MX list. There
is no danger if you have this option turned off (the default).
Problem noted by Dan Bernstein. Also, make the DontInitGroups
unsafe. I know of no specific attack against this, although
a denial-of-service attack is probably possible, but in theory
you should not be able to safely tweak anything that affects
the permissions that are used when mail is delivered.
Purgestat could go into an infinite loop if one of the host status
directories somehow became empty. Problem noted by Roy
Mongiovi of Georgia Tech.
Processes got "lost" when counting children due to a race condition.
This caused "proc_list_probe: lost pid" messages to be logged.
Problem noted by several people.
On systems with System V SIGCLD child signal semantics (notably AIX
and HP-UX), mail transactions would print the message "451
SMTP-MAIL: lost child: No child processes". Problem noted
by several people.
Miscellaneous compiler warnings on picky compilers (or when setting
gcc to high warning levels). From Tom Moore of NCR Corp.
SMTP protocol errors, and most errors on MAIL FROM: lines should
not be persistent between runs, since they are based on the
message rather than the host. Problem noted by Matt Dillon
of Best Internet Communications.
The F=7 flag was ignored on SMTP mailers. Problem noted by Tom Moore
of NCR (a.k.a., AT&T Global Information Solutions).
Avoid the possibility of having a child daemon run to completion
(including closing the SMTP socket) before the parent has
had a chance to close the socket; this can cause the parent
to hang for a long time waiting for the socket to drain.
Patch from Don Lewis of TDK Semiconductor.
If the fork() failed in a queue run, the queue runners would not be
rescheduled (so queue runs would stop). Patch from Don Lewis.
Some error conditions in ETRN could cause output without an SMTP
status code. Problem noted by Don Lewis.
Multiple :maildrop addresses in the user database didn't work properly.
Patch from Roy Mongiovi of Georgia Tech.
Add ".db" automatically onto any user database spec that does not
already have it; this is for consistency with makemap, the
K line, and the documentation. Inconsistency pointed out
by Roy Mongiovi.
Allow sendmail to be properly called in nohup mode. Patch from
Kyle Jones of UUNET.
Change ETRN to ignore but still update host status files; previously
it would ignore them and not save the updated status, which
caused stale information to be maintained. Based on a patch
from Christopher Davis of Kapor Enterprises Inc. Also, have
ETRN ignore the MinQueueAge option.
Patch long term host status to recover more gracefully from an empty
host status file condition. Patch from NAKAMURA Motonori
of Kyoto University.
Several patches to signal handling code to fix potential race
conditions from Don Lewis.
Make it possible to compile with -DDAEMON=0 (previously it had some
compile errors). This turns DAEMON, QUEUE, and SMTP into
0/1 compilation flags. Note that DAEMON is an obsolete
compile flag; use NETINET instead. Solution based on a
patch from Bryan Costales.
PORTABILITY FIXES:
AIX4: getpwnam() and getpwuid() do a sequential scan of the
/etc/security/passwd file when called as root. This
is very slow on some systems. To speed it up, use the
(undocumented) _getpw{nam,uid}_shadow() routines.
Patch from Chris Thomas of UCLA/OAC Systems Group.
SCO 5.x: include -lprot in the Makefile. Patch from Bill
Glicker of Burrelle's Information Service.
NEWS-OS 4.x: need a definition for MODE_T to compile. Patch
from Makoto MATSUSHITA of Osaka University.
SunOS 4.0.3: compile problems. Patches from Andrew Cole of
Leeds University and SASABE Tetsuro of the University
of Tokyo.
DG/UX 5.4.4.11 from Brian J. Murrell of InterLinx Support
Services, Inc.
Domain/OS from Don (Truck) Lewis of TDK Semiconductor Corp.
I believe this to have only been a problem if you
compiled with -DUSE_VENDOR_CF_PATH -- another reason
to stick with /etc/sendmail.cf as your One True Path.
Digital UNIX (OSF/1 on Alpha) load average computation from
Martin Laubach of the Technischen Universit<69>t Wien.
CONFIG: change default Received: line to be multiple lines rather
than one long one. By popular demand.
MAIL.LOCAL: warnings weren't being logged on some systems. Patch
from Jerome Berkman of U.C. Berkeley.
MAKEMAP: be sure to zero hinfo to avoid cruft that can cause runs
to take a very long time. Problem noted by Yoshiro YONEYA
of NTT Software Corporation.
CONTRIB: add etrn.pl, contributed by John Beck.
NEW FILES:
contrib/etrn.pl
8.8.3/8.8.3 96/11/17
SECURITY: it was possible to get a root shell by lying to sendmail
about argv[0] and then sending it a signal. Problem noted
by Leshka Zakharoff <leshka@leshka.chuvashia.su> on the
best-of-security list.
Log sendmail binary version number in "Warning: .cf version level
(%d) exceeds program functionality (%d) message" -- this
should make it clearer to people that they are running
the wrong binary.
Fix a problem that occurs when you open an SMTP connection and then
do one or more ETRN commands followed by a MAIL command; at
the end of the DATA phase sendmail would incorrectly report
"451 SMTP-MAIL: lost child: No child processes". Problem
noted by Eric Bishop of Virginia Tech.
When doing text-based host canonification (typically /etc/hosts
lookup), a null host name would match any /etc/hosts entry
with space at the end of the line. Problem noted by Steve
Hubert of the University of Washington, Seattle.
7 to 8 bit BASE64 MIME conversions could duplicate bits of text.
Problem reported by Tom Smith of Digital Equipment Corp.
Increase the size of the DNS answer buffer -- the standard UDP packet
size PACKETSZ (512) is not sufficient for some nameserver
answers containing very many resource records. The resolver
may also switch to TCP and retry if it detects UDP packet
overflow. Also, allow for the fact that the resolver
routines res_query and res_search return the size of the
*un*truncated answer in case the supplied answer buffer it
not big enough to accommodate the entire answer. Patch from
Eric Wassenaar.
Improvements to MaxDaemonChildren code. If you think you have too
many children, probe the ones you have to verify that they
are still around. Suggested by Jared Mauch of CICnet, Inc.
Also, do this probe before growing the vector of children
pids; this previously caused the vector to grow indefinitely
due to a race condition. Problem reported by Kyle Jones of
UUNET.
On some architectures, <db.h> (from the Berkeley DB library) defines
O_EXLOCK to zero; this fools the map compilation code into
thinking that it can avoid race conditions by locking on open.
Change it to check for O_EXLOCK non-zero. Problem noted by
Leif Erlingsson of Data Lege.
Always call res_init() on startup (if compiled in, of course) to
allow the sendmail.cf file to tweak resolver flags; without
it, flag tweaks in ResolverOptions are ignored. Patch from
Andrew Sun of Merrill Lynch.
Improvements to host status printing code. Suggested by Steve Hubert
of the University of Washington, Seattle.
Change MinQueueAge option processing to do the check for the job age
when reading the queue file, rather than at the end; this
avoids parsing the addresses, which can do DNS lookups.
Problem noted by John Beck of InReference, Inc.
When MIME was being 7->8 bit decoded, "From " lines weren't being
properly escaped. Problem noted by Peter Nilsson of the
University of Linkoping.
In some cases, sendmail would retain root permissions during queue
runs even if RunAsUser was set. Problem noted by Mark
Thomas of Mark G. Thomas Consulting.
If the F=l flag was set on an SMTP mailer to indicate that it is
actually local delivery, and NOTIFY=SUCCESS is specified in
the envelope, and the receiving SMTP server speaks DSN, then
the DSN would be both generated locally and propagated to the
other end.
The U= mailer field didn't correctly extract the group id if the
user id was numeric. Problem noted by Kenneth Herron of
MCI Telecommunications Communications.
If a message exceeded the fixed maximum size on input, the body of
the message was included in the bounce. Note that this did
not occur if it exceeded the maximum _output_ size. Problem
reported by Kyle Jones of UUNET.
PORTABILITY FIXES:
AIX4: 4.1 doesn't have a working setreuid(2); change the
AIX4 defines to use seteuid(2) instead, which
works on 4.1 as well as 4.2. Problem noted by
H<>kan Lindholm of interAF, Sweden.
AIX4: use tzname[] vector to determine time zone name.
Patch from NAKAMURA Motonori of Kyoto University.
MkLinux: add Makefile.Linux.ppc and OSTYPE(mklinux) support.
Contributed by Paul DuBois <dubois@primate.wisc.edu>.
Solaris: kstat(3k) support for retrieving the load average.
This adds the LA_KSTAT definition for LA_TYPE.
The outline of the implementation was contributed
by Michael Tokarev of Telecom Service, JSC, Moscow.
HP-UX 10.0 gripes about the (perfectly legal!) forward
declaration of struct rusage at the top of conf.h;
change it to only be included if you are using gcc,
which is apparently the only compiler that requires
it in the first place. Problem noted by Jeff
Earickson of Colby College.
IRIX: don't default to using gcc. IRIX is a civilized
operating system that comes with a decent compiler
by default. Problem noted by Barry Bouwsma and
Kari Hurtta.
CONFIG: specify F=9 as default in FEATURE(local_procmail) for
consistency with other local mailers. Inconsistency
pointed out by Teddy Hogeborn <teddy@fukt.hk-r.se>.
CONFIG: if the "limited best mx" feature is used (to reduce DNS
overhead) as part of the bestmx_is_local feature, the
domain part was dropped from the name. Patch from Steve
Hubert of the University of Washington, Seattle.
CONFIG: catch addresses of the form "user@.dom.ain"; these could
end up being translated to the null host name, which would
return any entry in /etc/hosts that had a space at the end
of the line. Problem noted by Steve Hubert of the
University of Washington, Seattle.
CONFIG: add OSTYPE(aix4). From Michael Sofka of Rensselaer
Polytechnic Institute.
MAKEMAP: tweak hash and btree parameters for better performance.
Patch from Matt Dillon of Best Internet Communications.
NEW FILES:
src/Makefiles/Makefile.Linux.ppc
cf/ostype/aix4.m4
cf/ostype/mklinux.m4
8.8.2/8.8.2 96/10/18
SECURITY: fix a botch in the 7-bit MIME patch; the previous patch
changed the code but didn't fix the problem.
PORTABILITY FIXES:
Solaris: Don't use the system getusershell(3); it can
apparently corrupt the heap in some circumstances.
Problem found by Ken Pizzini of Spry, Inc.
OP.ME: document several mailer flags that were accidentally omitted
from this document. These flags were F=d, F=j, F=R, and F=9.
CONFIG: no changes.
8.8.1/8.8.1 96/10/17
SECURITY: unset all environment variables that the resolver will
examine during queue runs and daemon mode. Problem noted
by Dan Bernstein of the University of Illinois at Chicago.
SECURITY: in some cases an illegal 7-bit MIME-encoded text/plain
message could overflow a buffer if it was converted back
to 8 bits. This caused core dumps and has the potential
for a remote attack. Problem first noted by Gregory Shapiro
of WPI.
Avoid duplicate deliveries of error messages on systems that don't
have flock(2) support. Patch from Motonori Nakamura of
Kyoto University.
Ignore null FallBackMX (V) options. If this option is null (as
opposed to undefined) it can cause "null signature" syserrs
on illegal host names.
If a Base64 encoded text/plain message has no trailing newline in
the encoded text, conversion back to 8 bits will drop the
final line. Problem noted by Pierre David.
If running with a RunAsUser, sendmail would give bogus "cannot
setuid" (or seteuid, or setreuid) messages on some systems.
Problem pointed out by Jordan Mendelson of Web Services, Inc.
Always print error messages in -bv mode -- previously, -bv would
be absolutely silent on errors if the error mode was sent
to (say) mail-back. Problem noted by Kyle Jones of UUNET.
If -qI/R/S is set (or the ETRN command is used), ignore all long
term host status. This is necessary because it is common
to do this when you know a host has just come back up.
Disallow duplicate HELO/EHLO commands as required by RFC 1651 section
4.2. Excessive permissiveness noted by Lee Flight of the
University of Leicester.
If a service (such as NIS) is specified as the last entry in the
service switch, but that service is not compiled in, sendmail
would return a temporary failure when an entry was not found
in the map. This caused the message to be queued instead of
bouncing immediately. Problem noted by Harry Edmon of the
University of Washington.
PORTABILITY FIXES:
Solaris 2.3 had compilation problems in conf.c. Several
people pointed this out.
NetBSD from Charles Hannum of MIT.
AIX4 improvements based on info from Steve Bauer of South
Dakota School of Mines & Technology.
CONFIG: ``error:code message'' syntax was broken in virtusertable.
Patch from Gil Kloepfer Jr.
CONFIG: if FEATURE(nocanonify) was specified, hosts in $=M (set
using MASQUERADE_DOMAIN) were not masqueraded unless they
were also in $=w. Problem noted by Zoltan Basti of
Softec.
MAIL.LOCAL: patches to compile and link cleanly on AIX. Based
on a patch from Eric Hagberg of Morgan Stanley.
MAIL.LOCAL: patches to compile on NEXTSTEP. From Patrick Nolan
of Stanford via Robert La Ferla.
8.8.0/8.8.0 96/09/26
Under some circumstances, Bcc: headers would not be properly
deleted. Pointed out by Jonathan Kamens of OpenVision.
Log a warning if the sendmail daemon is invoked without a full
pathname, which prevents "kill -1" from working. I was
urged to put this in by Andrey A. Chernov of DEMOS (Russia).
Fix small buffer overflow. Since the data in this buffer was not
read externally, there was no security problem (and in fact
probably wouldn't really overflow on most compilers). Pointed
out by KIZU takashi of Osaka University.
Fix problem causing domain literals such as [1.2.3.4] to be ignored
if a FallbackMXHost was specified in the configuration file
-- all mail would be sent to the fallback even if the original
host was accessible. Pointed out by Munenari Hirayama of
NSC (Japan).
A message that didn't terminate with a newline would (sometimes) not
have the trailing "." added properly in the SMTP dialogue,
causing SMTP to hang. Patch from Per Hedeland of Ericsson.
The DaemonPortOptions suboption to bind to a particular address was
incorrect and nonfunctional due to a misunderstanding of the
semantics of binding on a passive socket. Patch from
NIIBE Yutaka of Mitsubishi Research Institute.
Increase the number of MX hosts for a single name to 100 to better
handle the truly huge service providers such as AOL, which
has 13 at the moment (and climbing). In order to avoid
trashing memory, the buffer for all names has only been
slightly increased in size, to 12.8K from 10.2K -- this means
that if a single name had 100 MX records, the average size
of those records could not exceed 128 bytes. Requested by
Brad Knowles of America On Line.
Restore use of IDENT returns where the OSTYPE field equals "OTHER".
Urged by Dan Bernstein of U.C. Berkeley.
Print q_statdate and q_specificity in address structure debugging
printout.
Expand MCI structure flag bits for debugging output.
Support IPv6-style domain literals, which can have colons between
square braces.
Log open file descriptors for the "cannot dup" messages in deliver();
this is an attempt to track down a bug that one person seems
to be having (it may be a Solaris bug!).
DSN NOTIFY parameters were not properly propagated across queue runs;
this caused the NOTIFY info to sometimes be lost. Problem
pointed out by Claus Assmann of the
Christian-Albrechts-University of Kiel.
The statistics gathered in the sendmail.st file were too high; in
some cases failures (e.g., user unknown or temporary failure)
would count as a delivery as far as the statistics were
concerned. Problem noted by Tom Moore of AT&T GIS.
Systems that don't have flock() would not send split envelopes in
the initial run. Problem pointed out by Leonard Zubkoff of
Dandelion Digital.
Move buffer overflow checking -- these primarily involve distrusting
results that may come from NIS and DNS.
4.4-BSD-derived systems, including FreeBSD, NetBSD, and BSD/OS didn't
include <paths.h> and hence had the wrong pathnames for a few
things like /var/tmp. Reported by Matthew Green.
Conditions were reversed for the Priority: header, resulting in all
values being interpreted as non-urgent except for non-urgent,
which was interpreted as normal. Patch from Bryan Costales.
The -o (optional) flag was being ignored on hash and btree maps
since 8.7.2. Fix from Bryan Costales.
Content-Types listed in class "q" will always be encoded as
Quoted-Printable (or more accurately, will never be encoded
as base64). The class can have primary types (e.g., "text")
or full types (e.g., "text/plain"). Based on a suggestion by
Marius Olafsson of the University of Iceland.
Define ${envid} to be the original envelope id (from the ESMTP DSN
dialogue) so it can be passed to programs in mailers.
Define ${bodytype} to be the body type (from the -B flag or the
BODY= ESMTP parameter) so it can be passed to programs in
mailers.
Cause the VRFY command to return 252 instead of 250 unless the F=q
flag is set in the mailer descriptor. Suggested by John
Myers of CMU.
Implement ESMTP ETRN command to flush the queue for a specific host.
The command takes a host name; data for that host is
immediately (and asynchronously) flushed. Because this shares
the -qR implementation, other hosts may be attempted, but
there should be no security implications. Implementation
from John Beck of InReference, Inc. See RFC 1985 for details.
Add three new command line flags to pass in DSN parameters: -V envid
(equivalent to ENVID=envid on the MAIL command), -R ret
(equivalent to RET=ret on the MAIL command), and -Nnotify
(equivalent to NOTIFY=notify on the RCPT command). Note
that the -N flag applies to all recipients; there is no way
to specify per-address notifications on the command line,
nor is there an equivalent for the ORCPT= per-address
parameter.
Restore LogLevel option to be safe (it can only be increased);
apparently I went into paranoid mode between 8.6 and 8.7
and made it unsafe. Pointed out by Dabe Murphy of the
University of Maryland.
New logging on log level 15: all SMTP traffic. Patches from
Andrew Gross of San Diego Supercomputer Center.
NetInfo property value searching code wasn't stopping when it found
a match. This was causing the wrong values to be found (and
had a memory leak). Found by Bastian Schleuter of TU-Berlin.
Add new F=0 (zero) mailer flag to turn off MX lookups. It was pointed
out by Bill Wisner of Electronics for Imaging that you can't
use the bracket address form for the MAIL_HUB macro, since
that causes the brackets to remain in the envelope recipient
address used for delivery. The simple fix (stripping off the
brackets in the config file) breaks the use of IP literal
addresses. This flag will solve that problem.
Add MustQuoteChars option. This is a list of characters that must
be quoted if they are found in the phrase part of an address
(that is, the full name part). The characters @,;:\()[] are
always in this list and cannot be removed. The default is
this list plus . and ' to match RFC 822.
Add AllowBogusHELO option; if set, sendmail will allow HELO commands
that do not include a host name for back compatibility with
some stupid SMTP clients. Setting this violates RFC 1123
section 5.2.5.
Add MaxDaemonChildren option; if this is set, sendmail will start
rejecting connections if it has more than this many
outstanding children accepting mail. Note that you may
see more processes than this because of outgoing mail; this
is for incoming connections only.
Add ConnectionRateThrottle option. If set to a positive value, the
number of incoming SMTP connections that will be permitted
in a single second is limited to this number. Connections are
not refused during this time, just deferred. The intent is to
flatten out demand so that load average limiting can kick in.
It is less radical than MaxDaemonChildren, which will stop
accepting connections even if all the connections are idle
(e.g., due to connection caching).
Add Timeout.hoststatus option. This interval (defaulting to 30m)
specifies how long cached information about the state of a
host will be kept before they are considered stale and the
host is retried. If you are using persistent host status
(i.e., the HostStatusDirectory option is set) this will apply
between runs; otherwise, it applies only within a single queue
run and hence is useful only for hosts that have large queues
that take a very long time to run.
Add SingleLineFromHeader option. If set, From: headers are coerced
into being a single line even if they had newlines in them
when read. This is to get around a botch in Lotus Notes.
Text class maps were totally broken -- if you ever retrieved the last
item in a table it would be truncated. Problem noted by
Gregory Neil Shapiro of WPI.
Extend the lines printed by the mailq command (== the -bp flag) when
-v is given to 120 characters; this allows more information
to be displayed. Suggested by Gregory Neil Shapiro of WPI.
Allow macro definitions (`D' lines) with unquoted commas; previously
this was treated as end-of-input. Problem noted by Bryan
Costales.
The RET= envelope parameter (used for DSNs) wasn't properly written
to the queue file. Fix from John Hughes of Atlantic
Technologies, Inc.
Close /var/tmp/dead.letter after a successful write -- otherwise
if this happens in a queue run it can cause nasty delays.
Problem noted by Mark Horton of AT&T.
If userdb entries pointed to userdb entries, and there were multiple
values for a given key, the database cursor would get
trashed by the recursive call. Problem noted by Roy Mongiovi
of Georgia Tech. Fixed by reading all the values and creating
a comma-separated list; thus, the -v output will be somewhat
different for this case.
Fix buffer allocation problem with Hesiod-based userdb maps when
HES_GETMAILHOST is defined. Based on a patch by Betty Lee
of Stanford University.
When envelopes were split due to aliases with owner- aliases, and
there was some error on one of the lists, more than one of
the owners would get the message. Problem pointed out by
Roy Mongiovi of Georgia Tech.
Detect excessive recursion in macro expansions, e.g., $X defined
in terms of $Y which is defined in terms of $X. Problem
noted by Bryan Costales; patch from Eric Wassenaar.
When using F=U to get "ugly UUCP" From_ lines, a buffer could in
some cases get trashed causing bogus From_ lines. Fix from
Kyle Jones of UUNET.
When doing load average initialization, if the nlist call for avenrun
failed, the second and subsequent lookups wouldn't notice
that fact causing bogus load averages to be returned. Noted
by Casper Dik of Sun Holland.
Fix problem with incompatibility with some versions of inet_aton that
have changed the return value to unsigned, so a check for an
error return of -1 doesn't work. Use INADDR_NONE instead.
This could cause mail to addresses such as [foo.com] to bounce
or get dropped. Problem noted by Christophe Wolfhugel of the
Pasteur Institute.
DSNs were inconsistent if a failure occurred during the DATA phase
rather than the RCPT phase: the Action: would be correct, but
the detailed status information would be wrong. Problem noted
by Bob Snyder of General Electric Company.
Add -U command line flag and the XUSR ESMTP extension, both indicating
that this is the initial MUA->MTA submission. The flag current
does nothing, but in future releases (when MUAs start using
these flags) it will probably turn on things like DNS
canonification.
Default end-of-line string (E= specification on mailer [M] lines)
to \r\n on SMTP mailers. Default remains \n on non-SMTP
mailers.
Change the internal definition for the *file* and *include* mailers
to have $u in the argument vectors so that they aren't
misinterpreted as SMTP mailers and thus use \r\n line
termination. This will affect anyone who has redefined
either of these in their configuration file.
Don't assume that IDENT servers close the connection after a query;
responses can be newline terminated. From Terry Kennedy of
St. Peter's College.
Avoid core dumps on erroneous configuration files that have
$#mailer with nothing following. From Bryan Costales.
Avoid null pointer dereference with high debug values in unlockqueue.
Fix from Randy Martin of Clemson University.
Fix possible buffer overrun when expanding very large macros. Fix
from Kyle Jones of UUNET.
After 25 EXPN or VRFY commands, start pausing for a second before
processing each one. This avoids a certain form of denial
of service attack. Potential attack pointed out by Bryan
Costales.
Allow new named (not numbered!) config file rules to do validity
checking on SMTP arguments: check_mail for MAIL commands and
check_rcpt for RCPT commands. These rulesets can do anything
they want; their result is ignored unless they resolve to the
$#error mailer, in which case the indicated message is printed
and the command is rejected. Similarly, the check_compat
ruleset is called before delivery with "from_addr $| to_addr"
(the $| is a meta-symbol used to separate the two addresses);
it can give a "this sender can't send to this recipient"
notification. Note that this patch allows $| to stand alone
in rulesets.
Define new macros ${client_name}, ${client_addr}, and ${client_port}
that have the name, IP address, and port number (respectively)
of the SMTP client (that is, the entity at the other end of
the connection. These can be used in (e.g.) check_rcpt to
verify that someone isn't trying to relay mail through your
host inappropriately. Be sure to use the deferred evaluation
form, for example $&{client_name}, to avoid having these bound
when sendmail reads the configuration file.
Add new config file rule check_relay to check the incoming connection
information. Like check_compat, it is passed the host name
and host address separated by $| and can reject connections
on that basis.
Allow IDA-style recursive function calls. Code contributed by Mark
Lovell and Paul Vixie.
Eliminate the "No ! in UUCP From address!" message" -- instead, create
a virtual UUCP address using either a domain address or the $k
macro. Based on code contributed by Mark Lovell and Paul
Vixie.
Add Stanford LDAP map. Requires special libraries that are not
included with sendmail. Contributed by Booker C. Bense
<bbense@networking.stanford.edu>; contact him for support.
See also the src/READ_ME file.
Allow -dANSI to turn on ANSI escape sequences in debug output; this
puts metasymbols (e.g., $+) in reverse video. Really useful
only for debugging deep bits of code where it is important to
distinguish between the single-character metasymbol $+ and the
two characters $, +.
Changed ruleset 89 (executed in dumpstate()) to a named ruleset,
debug_dumpstate.
Add new UnsafeGroupWrites option; if set, .forward and :include:
files that are group writable are considered "unsafe" -- that
is, programs and files referenced from such files are not
valid recipients.
Delete bogosity test for FallBackMX host; this prevented it to be a
name that was not in DNS or was a domain-literal. Problem
noted by Tom May.
Change the introduction to error messages to more clearly delineate
permanent from temporary failures; if both existed in a
single message it could be confusing. Suggested by John
Beck of InReference, Inc.
The IngoreDot (i) option didn't work for lines that were terminated
with CRLF. Problem noted by Ted Stockwell of Secure
Computing Corporation.
Add a heuristic to improve the handling of unbalanced `<' signs in
message headers. Problem reported by Matt Dillon of Best
Internet Communications.
Check for bogus characters in the 0200-0237 range; since these are
used internally, very strange errors can occur if those
characters appear in headers. Problem noted by Anders Gertz
of Lysator.
Implement 7 -> 8 bit MIME conversions. This only takes place if the
recipient mailer has the F=9 flag set, and only works on
text/plain body types. Code contributed by Marius Olafsson
of the University of Iceland.
Special case "postmaster" name so that it is always treated as lower
case in alias files regardless of configuration settings;
this prevents some potential problems where "Postmaster" or
"POSTMASTER" might not match "postmaster". In most cases
this change is a no-op.
The -o map flag was ignored for text maps. Problem noted by Bryan
Costales.
The -a map flag was ignored for dequote maps. Problem noted by
Bryan Costales.
Fix core dump when a lookup of a class "prog" map returns no
response. Patch from Bryan Costales.
Log instances where sendmail is deferring or rejecting connections
on LogLevel 14. Suggested by Kyle Jones of UUNET.
Include port number in process title for network daemons. Suggested
by Kyle Jones of UUNET.
Send ``double bounces'' (errors that occur when sending an error
message) to the address indicated in the DoubleBounceAddress
option (default: postmaster). Previously they were always
sent to postmaster. Suggested by Kyle Jones of UUNET.
Add new mode, -bD, that acts like -bd in all respects except that
it runs in foreground. This is useful for using with a
wrapper that "watches" system services. Suggested by Kyle
Jones of UUNET.
Fix botch in spacing around (parenthesized) comments in addresses
when the comment comes before the address. Patch from
Motonori Nakamura of Kyoto University.
Use the prefix "Postmaster notify" on the Subject: lines of messages
that are being bounced to postmaster, rather than "Returned
mail". This permits the person who is postmaster more
easily determine what messages are to their role as
postmaster versus bounces to mail they actually sent. Based
on a suggestion by Motonori Nakamura.
Add new value "time" for QueueSortOrder option; this causes the queue
to be sorted strictly by the time of submission. Note that
this can cause very bad behavior over slow lines (because
large jobs will tend to delay small jobs) and on nodes with
heavy traffic (because old things in the queue for hosts that
are down delay processing of new jobs). Also, this does not
guarantee that jobs will be delivered in submission order
unless you also set DeliveryMode=queue. In general, it should
probably only be used on the command line, and only in
conjunction with -qRhost.domain. In fact, there are very few
cases where it should be used at all. Based on an
implementation by Motonori Nakamura.
If a map lookup in ruleset 5 returns tempfail, queue the message in
the same manner as other rulesets. Previously a temporary
failure in ruleset 5 was ignored. Patch from Booker Bense
of Stanford University.
Don't proceed to the next MX host if an SMTP MAIL command returns a
5yz (permanent failure) code. The next MX host will still be
tried if the connection cannot be opened in the first place
or if the MAIL command returns a 4yz (temporary failure) code.
(It's hard to know what to do here, since neither RFC 974 nor
RFC 1123 specify when to proceed to the next MX host.)
Suggested by Jonathan Kamens of OpenVision, Inc.
Add new "-t" flag for map definitions (the "K" line in the .cf file).
This causes map lookups that get a temporary failure (e.g.,
name server failure) to _not_ defer the delivery of the
message. This should only be used if your configuration file
is prepared to do something sensible in this case. Based on
an idea by Gregory Shapiro of WPI.
Fix problem finding network interface addresses. Patch from
Motonori Nakamura.
Don't reject qf entries that are not owned by your effective uid if
you are not running setuid; this makes management of certain
kinds of firewall setups difficult. Patch suggested by
Eamonn Coleman of Qualcomm.
Add persistent host status. This keeps the information normally
maintained within a single queue run in disk files that are
shared between sendmail instances. The HostStatusDirectory
is the directory in which the information is maintained. If
not set, persistent host status is turned off. If not a full
pathname, it is relative to the queue directory. A common
value is ".hoststat".
There are also two new operation modes:
* -bh prints the status of hosts that have had recent
connections.
* -bH purges the host statuses. No attempt is made to save
recent status information.
This feature was originally written by Paul Vixie of Vixie
Enterprises for KJS and adapted for V8 by Mark Lovell of
Bigrock Consulting. Paul's funding of Mark and Mark's patience
with my insistence that things fit cleanly into the V8
framework is gratefully appreciated.
New SingleThreadDelivery option (requires HostStatusDirectory to
operate). Avoids letting two sendmails on the local machine
open connections to the same remote host at the same time.
This reduces load on the other machine, but can cause mail to
be delayed (for example, if one sendmail is delivering a huge
message, other sendmails won't be able to send even small
messages). Also, it requires another file descriptor (for the
lock file) per connection, so you may have to reduce
ConnectionCacheSize to avoid running out of per-process
file descriptors. Based on the persistent host status code
contributed by Paul Vixie and Mark Lovell.
Allow sending to non-simple files (e.g., /dev/null) even if the
SafeFileEnvironment option is set. Problem noted by Bryan
Costales.
The -qR flag mistakenly matched flags in the "R" line of the queue
file. Problem noted by Bryan Costales.
If a job was aborted using the interrupt signal (e.g., control-C from
the keyboard), on some occasions an empty df file would be
left around; these would collect in the queue directory.
Problem noted by Bryan Costales.
Change the makesendmail script to enhance the search for Makefiles
based on release number. For example, on SunOS 5.5.1, it will
search for Makefile.SunOS.5.5.1, Makefile.SunOS.5.5, and then
Makefile.SunOS.5.x (in addition to the other rules, e.g.,
adding $arch). Problem noted by Jason Mastaler of Atlanta
Webmasters.
When creating maps using "newaliases", always map the keys to lower
case when creating the map unless the -f flag is specified on
the map itself. Previously this was done based on the F=u
flag in the local mailer, which meant you could create aliases
that you could never access. Problem noted by Bob Wu of DEC.
When a job was read from the queue, the bits causing notification on
failure or delay were always set. This caused those
notifications to be sent even if NOTIFY=NEVER had been
specified. Problem noted by Steve Hubert of the University
of Washington, Seattle.
Add new configurable routine validate_connection (in conf.c). This
lets you decide if you are willing to accept traffic from
this host. If it returns FALSE, all SMTP commands will return
"550 Access denied". -DTCPWRAPPERS will include support for
TCP wrappers; you will need to add -lwrap to the link line.
(See src/READ_ME for details.)
Don't include the "THIS IS A WARNING MESSAGE ONLY" banner on postmaster
bounces. Some people seemed to think that this could be
confusing (even though it is true). Suggested by Motonori
Nakamura.
Add new RunAsUser option; this causes sendmail to do a setuid to that
user early in processing to avoid potential security problems.
However, this means that all .forward and :include: files must
be readable by that user, and all files to be written must be
writable by that user and all programs will be executed by that
user. It is also incompatible with the SafeFileEnvironment
option. In other words, it may not actually add much to
security. However, it should be useful on firewalls and other
places where users don't have accounts and the aliases file is
well constrained.
Add Timeout.iconnect. This is like Timeout.connect except it is used
only on the first attempt to delivery to an address. It could
be set to be lower than Timeout.connect on the principle that
the mail should go through quickly to responsive hosts; less
responsive hosts get to wait for the next queue run.
Fix a problem on Solaris that occasionally causes programs
(such as vacation) to hang with their standard input connected
to a UDP port. It also created some signal handling problems.
The problems turned out to be an interaction between vfork(2)
and some of the libraries, particularly NIS/NIS+. I am
indebted to Tor Egge <tegge@idt.ntnu.no> for this fix.
Change user class map to do the same matching that actual delivery
will do instead of just a /etc/passwd lookup. This adds
fuzzy matching to the user map. Patch from Dan Oscarsson.
The Timeout.* options are not safe -- they can be used to create a
denial-of-service attack. Problem noted by Christophe
Wolfhugel.
Don't send PostmasterCopy messages in the event of a "delayed"
notification. Suggested by Barry Bouwsma.
Don't advertise "VERB" ESMTP extension if the "noexpn" privacy
option is set, since this disables VERB mode. Suggested
by John Hawkinson of MIT.
Complain if the QueueDirectory (Q) option is not set. Problem noted
by Motonori Nakamura of Kyoto University.
Only queue messages on transient .forward open failures if there
were no successful opens. The previous behavior caused it
to queue even if a "fall back" .forward was found. Problem
noted by Ann-Kian Yeo of the Dept. of Information Systems
and Computer Science (DISCS), NUS, Singapore.
Don't do 8->7 bit conversions when bouncing a MIME message that
is bouncing because of a MIME error during 8->7 bit conversion;
the encapsulated message will bounce again, causing a loop.
Problem noted by Steve Hubert of the University of Washington.
Create xf (transcript) files using the TempFileMode option value
instead of 0644. Suggested by Ann-Kian Yeo of the
National University of Singapore.
Print errors if setgid/setuid/etc. fail during delivery. This helps
detect cases where DefaultUid is set to something that the
system can't cope with.
PORTABILITY FIXES:
Support for AIX/RS 2.2.1 from Mark Whetzel of Western
Atlas International.
Patches for Intel Paragon OSF/1 1.3 from Leo Bicknell
<bicknell@ufp.org>.
On DEC OSF/1 3.2 and earlier, the MatchGECOS code would only
work on the first recipient of a message due to a
bug in the getpwent family. If this is something you
use, you can define DEC_OSF_BROKEN_GETPWENT=1 for a
workaround. From Maximum Entropy of Sanford C.
Bernstein and Associates.
FreeBSD 1.1.5.1 uname -r returns a string containing
parentheses, which breaks makesendmail. Reported
by Piero Serini <piero@strider.ibenet.it>.
Sequent DYNIX/ptx 4.0.2 patches from Jack Woolley of
Systems and Computer Technology Corporation.
Solaris 2.x: omit the UUCP grade parameter (-g flag) because
it is system-dependent. Problem noted by J.J. Bailey
of Bailey Computer Consulting.
Pyramid NILE running DC/OSx support from Earle F. Ake of
Hassler Communication Systems Technology, Inc.
HP-UX 10.x compile glitches, reported by Anne Brink of the
U.S. Army and James Byrne of Harte & Lyne Limited.
NetBSD from Matthew Green of the NetBSD crew.
SCO 5.x from Keith Reynolds of SCO.
IRIX 6.2 from Robert Tarrall of the University of
Colorado and Kari Hurtta of the Finnish Meteorological
Institute.
UXP/DS (Fujitsu/ICL DS/90 series) support from Diego R.
Lopez, CICA (Seville).
NCR SVR4 MP-RAS 3.x support from Tom Moore of NCR.
PTX 3.2.0 from Kenneth Stailey of the US Department of Labor
Employment Standards Administration.
Altos System V (5.3.1) from Tim Rice of Multitalents.
Concurrent Systems Corporation Maxion from Donald R. Laster
Jr.
NetInfo maps (improved debugging and multi-valued aliases)
from Adrian Steinmann of Steinmann Consulting.
ConvexOS 11.5 (including SecureWare C2 and the Share Scheduler)
from Eric Schnoebelen of Convex.
Linux 2.0 mail.local patches from Horst von Brand.
NEXTSTEP 3.x compilation from Robert La Ferla.
NEXTSTEP 3.x code changes from Allan J. Nathanson of NeXT.
Solaris 2.5 configuration fixes for mail.local by Jim Davis
of the University of Arizona.
Solaris 2.5 has a working setreuid. Noted by David Linn of
Vanderbilt University.
Solaris changes for praliases, makemap, mailstats, and smrsh.
Previously you had to add -DSOLARIS in Makefile.dist;
this auto-detects. Based on a patch from Randall
Winchester of the University of Maryland.
CONFIG: add generic-nextstep3.3.mc file. Contributed by
Robert La Ferla of Hot Software.
CONFIG: allow mailertables to resolve to ``error:code message''
(where "code" is an exit status) on domains (previously
worked only on hosts). Patch from Cor Bosman of Xs4all
Foundation.
CONFIG: hooks for IPv6-style domain literals.
CONFIG: predefine ALIAS_FILE and change the prototype file so that
if it is undefined the AliasFile option is never set; this
should be transparent for most everyone. Suggested by John
Myers of CMU.
CONFIG: add FEATURE(limited_masquerade). Without this feature, any
domain listed in $=w is masqueraded. With it, only those
domains listed in a MASQUERADE_DOMAIN macro are masqueraded.
CONFIG: add FEATURE(masquerade_entire_domain). This causes
masquerading specified by MASQUERADE_DOMAIN to apply to all
hosts under those domains as well as the domain headers
themselves. For example, if a configuration had
MASQUERADE_DOMAIN(foo.com), then without this feature only
foo.com would be masqueraded; with it, *.foo.com would be
masqueraded as well. Based on an implementation by Richard
(Pug) Bainter of U. Texas.
CONFIG: add FEATURE(genericstable) to do a more general rewriting of
outgoing addresses. Defaults to ``hash -o /etc/genericstable''.
Keys are user names; values are outgoing mail addresses. Yes,
this does overlap with the user database, and figuring out
just when to use which one may be tricky. Based on code
contributed by Richard (Pug) Bainter of U. Texas with updates
from Per Hedeland of Ericsson.
CONFIG: add FEATURE(virtusertable) to do generalized rewriting of
incoming addresses. Defaults to ``hash -o /etc/virtusertable''.
Keys are either fully qualified addresses or just the host
part (with the @ sign). For example, a table containing:
info@foo.com foo-info
info@bar.com bar-info
@baz.org jane@elsewhere.net
would send all mail destined for info@foo.com to foo-info
(which is presumably an alias), mail addressed to info@bar.com
to bar-info, and anything addressed to anyone at baz.org will
be sent to jane@elsewhere.net. The names foo.com, bar.com,
and baz.org must all be in $=w. Based on discussions with
a great many people.
CONFIG: add nullclient configurations to define SMTP_MAILER_FLAGS.
Suggested by Richard Bainter.
CONFIG: add FAX_MAILER_ARGS to tweak the arguments passed to the
"fax" mailer.
CONFIG: allow mailertable entries to resolve to local:user; this
passes the original user@host in to procmail-style local
mailers as the "detail" information to allow them to do
additional clever processing. From Joe Pruett of
Teleport Corporation. Delivery to the original user can
be done by specifying "local:" (with nothing after the colon).
CONFIG: allow any context that takes "mailer:domain" to also take
"mailer:user@domain" to force mailing to the given user;
"local:user" can also be used to do local delivery. This
applies on *_RELAY and in the mailertable entries. Based
on a suggestion by Ribert Kiessling of Easynet.
CONFIG: Allow FEATURE(bestmx_is_local) to take an argument that
limits the possible domains; this reduces the number of DNS
lookups required to support this feature. For example,
FEATURE(bestmx_is_local, my.site.com) limits the lookups
to domains under my.site.com. Code contributed by Anthony
Thyssen <anthony@cit.gu.edu.au>.
CONFIG: LOCAL_RULESETS introduces any locally defined rulesets,
such as the check_rcpt ruleset. Suggested by Gregory Shapiro
of WPI.
CONFIG: MAILER_DEFINITIONS introduces any mailer definitions, in the
event you have to define local mailers. Suggested by
Gregory Shapiro of WPI.
CONFIG: fix cases where a three- (or more-) stage route-addr could
be misinterpreted as a list:...; syntax. Based on a patch by
Vlado Potisk <Vlado_Potisk@tempest.sk>.
CONFIG: Fix masquerading of UUCP addresses when the UUCP relay is
remotely connected. The address host!user was being
converted to host!user@thishost instead of host!user@uurelay.
Problem noted by William Gianopoulos of Raytheon Company.
CONFIG: add confTO_ICONNECT to set Timeout.iconnect.
CONFIG: change FEATURE(redirect) message from "User not local" to
"User has moved"; the former wording was confusing if the
new address is still on the local host. Based on a suggestion
by Andreas Luik.
CONFIG: add support in FEATURE(nullclient) for $=E (exposed users).
However, the class is not pre-initialized to contain root.
Suggested by Gregory Neil Shapiro.
CONTRIB: Remove XLA code at the request of the author, Christophe
Wolfhugel.
CONTRIB: Add re-mqueue.pl, contributed by Paul Pomes of Qualcomm.
MAIL.LOCAL: make it possible to compile mail.local on Solaris. Note
well: this produces a slightly different mailbox format (no
Content-Length: headers), file ownerships and modes are
different (not owned by group mail; mode 600 instead of 660),
and the local mailer flags will have to be tweaked (make them
match bsd4.4) in order to use this mailer. Patches from Paul
Hammann of the Missouri Research and Education Network.
MAIL.LOCAL: in some cases it could return EX_OK even though there
was a delivery error, such as if the ownership on the file
was wrong or the mode changed between the initial stat and
the open. Problem reported by William Colburn of the New
Mexico Institute of Mining and Technology.
MAILSTATS: handle zero length files more reliably. Patch from Bryan
Costales.
MAILSTATS: add man page contributed by Keith Bostic of BSDI.
MAKEMAP: The -d flag (to allow duplicate keys) to a btree map wasn't
honored. Fix from Michael Scott Shappe.
PRALIASES: add man page contributed by Keith Bostic of BSDI.
NEW FILES:
src/Makefiles/Makefile.AIX.2
src/Makefiles/Makefile.IRIX.6.2
src/Makefiles/Makefile.maxion
src/Makefiles/Makefile.NCR.MP-RAS.3.x
src/Makefiles/Makefile.SCO.5.x
src/Makefiles/Makefile.UXPDSV20
mailstats/mailstats.8
praliases/praliases.8
cf/cf/generic-nextstep3.3.mc
cf/feature/genericstable.m4
cf/feature/limited_masquerade.m4
cf/feature/masquerade_entire_domain.m4
cf/feature/virtusertable.m4
cf/ostype/aix2.m4
cf/ostype/altos.m4
cf/ostype/maxion.m4
cf/ostype/solaris2.ml.m4
cf/ostype/uxpds.m4
contrib/re-mqueue.pl
DELETED FILES:
src/Makefiles/Makefile.Solaris
contrib/xla/README
contrib/xla/xla.c
RENAMED FILES:
src/Makefiles/Makefile.NCR3000 => Makefile.NCR.MP-RAS.2.x
src/Makefiles/Makefile.SCO.3.2v4.2 => Makefile.SCO.4.2
src/Makefiles/Makefile.UXPDS => Makefile.UXPDSV10
src/Makefiles/Makefile.NeXT => Makefile.NeXT.2.x
src/Makefiles/Makefile.NEXTSTEP => Makefile.NeXT.3.x
8.7.6/8.7.3 96/09/17
SECURITY: It is possible to force getpwuid to fail when writing the
queue file, causing sendmail to fall back to running programs
as the default user. This is not exploitable from off-site.
Workarounds include using a unique user for the DefaultUser
(old u & g options) and using smrsh as the local shell.
SECURITY: fix some buffer overruns; in at least one case this allows
a local user to get root. This is not known to be exploitable
from off-site. The workaround is to disable chfn(1) commands.
8.7.5/8.7.3 96/03/04
Fix glitch in 8.7.4 when putting certain internal lines; this can
in some case cause connections to hang or messages to have
extra spaces in odd places. Patch from Eric Wassenaar;
reports from Eric Hall of Chiron Corporation, Stephen
Hansen of Stanford University, Dean Gaudet of HotWired,
and others.
8.7.4/8.7.3 96/02/18
SECURITY: In some cases it was still possible for an attacker to
insert newlines into a queue file, thus allowing access to
any user (except root).
CONFIG: no changes -- it is not a bug that the configuration
version number is unchanged.
8.7.3/8.7.3 95/12/03
Fix botch in name server timeout in RCPT code; this problem caused
two responses in SMTP, which breaks things horribly. Fix
from Gregory Neil Shapiro of WPI.
Verify that L= value on M lines cannot be negative, which could cause
negative array subscripting. Not a security problem since
this has to be in the config file, but it could have caused
core dumps. Pointed out by Bryan Costales.
Fix -d21 debug output for long macro names. Pointed out by Bryan
Costales.
PORTABILITY FIXES:
SCO doesn't have ftruncate. From Bill Aten of Computerizers.
IBM's version of arpa/nameser.h defaults to the wrong byte
order. Tweak it to work properly. Based on fixes
from Fletcher Mattox of UTexas and Betty Lee of
Stanford University.
CONFIG: add confHOSTS_FILE m4 variable to set HostsFile option.
Deficiency pointed out by Bryan Costales of ICSI.
8.7.2/8.7.2 95/11/19
REALLY fix the backslash escapes in SmtpGreetingMessage,
OperatorChars, and UnixFromLine options. They were not
properly repaired in 8.7.1.
Completely delete the Bcc: header if and only if there are other
valid recipient headers (To:, Cc: or Apparently-To:, the
last being a historic botch, of course). If Bcc: is the
only recipient header in the message, its value is tossed,
but the header name is kept. The old behavior (always keep
the header name and toss the value) allowed primary recipients
to see that a Bcc: went to _someone_.
Include queue id on ``Authentication-Warning: <host>: <user> set
sender to <address> using -f'' syslog messages. Suggested
by Kari Hurtta.
If a sequence or switch map lookup entry gets a tempfail but then
continues on to another map type, but the name is not found,
return a temporary failure from the sequence or switch map.
For example, if hosts search ``dns files'' and DNS fails
with a tempfail, the hosts map will go on and search files,
but if it fails the whole thing should be a tempfail, not
a permanent (host unknown) failure, even though that is the
failure in the hosts.files map. This error caused hard
bounces when it should have requeued.
Aliases to files such as /users/bar/foo/inbox, with /users/bar/foo
owned by bar mode 700 and inbox being setuid bar stopped
working properly due to excessive paranoia. Pointed out by
John Hawkinson of Panix.
An SMTP RCPT command referencing a host that gave a nameserver
timeout would return a 451 command (8.6 accepted it and
queued it locally). Revert to the 8.6 behavior in order
to simplify queue management for clustered systems. Suggested
by Gregory Neil Shapiro of WPI. The same problem could break
MH, which assumes that the SMTP session will succeed (tsk, tsk
-- mail gets lost!); this was pointed out by Stuart Pook of
Infobiogen.
Fix possible buffer overflow in munchstring(). This was not a security
problem because you couldn't specify any argument to this
without first giving up root privileges, but it is still a
good idea to avoid future problems. Problem noted by John
Hawkinson and Sam Hartman of MIT.
``452 Out of disk space for temp file'' messages weren't being
printed. Fix from David Perlin of Nanosoft.
Don't advertise the ESMTP DSN extension if the SendMimeErrors option
is not set, since this is required to get the actual DSNs
created. Problem pointed out by John Gardiner Myers of CMU.
Log permission problems that cause .forward and :include: files to
be untrusted or ignored on log level 12 and higher. Suggested
by Randy Martin of Clemson University.
Allow user ids in U= clauses of M lines to have hyphens and
underscores.
Fix overcounting of recipients -- only happened when sending to an
alias. Pointed out by Mark Andrews of SGI and Jack Woolley
of Systems and Computer Technology Corporation.
If a message is sent to an address that fails, the error message that
is returned could show some extraneous "success" information
included even if the user did not request success notification,
which was confusing. Pointed out by Allan Johannesen of WPI.
Config files that had no AliasFile definition were defaulting to
using /etc/aliases; this caused problems with nullclient
configurations. Change it back to the 8.6 semantics of
having no local alias file unless it is declared. Problem
noted by Charles Karney of Princeton University.
Fix compile problem if NOTUNIX is defined. Pointed out by Bryan
Costales of ICSI.
Map lookups of class "userdb" maps were always case sensitive; they
should be controlled by the -f flag like other maps. Pointed
out by Bjart Kvarme <bjart.kvarme@usit.uio.no>.
Fix problem that caused some addresses to be passed through ruleset 5
even when they were tagged as "sticky" by prefixing the
address with an "@". Patch from Thomas Dwyer III of Michigan
Technological University.
When converting a message to Quoted-Printable, prevent any lines with
dots alone on a line by themselves. This is because of the
preponderance of broken mailers that still get this wrong.
Code contributed by Per Hedeland of Ericsson.
Fix F{macro}/file construct -- it previously did nothing. Pointed
out by Bjart Kvarme of USIT/UiO (Norway).
Announce whether a cached connection is SMTP or ESMTP (in -v mode).
Requested by Allan Johannesen.
Delete check for text format of alias files -- it should be legal
to have the database format of the alias files without the
text version. Problem pointed out by Joe Rhett of Navigist,
Inc.
If "Ot" was specified with no value, the TZ variable was not properly
imported from the environment. Pointed out by Frank Crawford
<frank@ansto.gov.au>.
Some architectures core dumped on "program" maps that didn't have
extra arguments. Patch from Booker C. Bense of Stanford
University.
Queue run processes would re-spawn daemons when given a SIGHUP; only
the parent should do this. Fix from Brian Coan of the
Association for Progressive Communications.
If MinQueueAge was set and a message was considered but not run
during a queue run and the Timeout.queuereturn interval was
reached, a "timed out" error message would be returned that
didn't include the failed address (and claimed to be a warning
even though it was fatal). The fix is to not return such
messages until they are actually tried, i.e., in the next
MinQueueAge interval. Problem noted by Rein Tollevik of
SINTEF RUNIT, Oslo.
Add HES_GETMAILHOST compile flag to support MIT Hesiod distributions
that have the hes_getmailhost() routine. DEC Hesiod
distributions do not have this routine. Based on a patch
from Betty Lee of Stanford University.
Extensive cleanups to map open code to handle a locking race condition
in ndbm, hash, and btree format database files on some (most
non-4.4-BSD based) OS architectures. This should solve the
occasional "user unknown" problem during alias rebuilds that
has plagued me for quite some time. Based on a patch from
Thomas Dwyer III of Michigan Technological University.
PORTABILITY FIXES:
Solaris: Change location of newaliases and mailq from
/usr/ucb to /usr/bin to match Sun settings. From
James B. Davis of TCI.
DomainOS: Makefile.DomainOS doesn't require -ldbm. From
Don Lewis of Silicon Systems.
HP-UX 10: rename Makefile.HP-UX.10 => Makefile.HP-UX.10.x
so that the makesendmail script will find it. Pointed
out by Richard Allen of the University of Iceland.
Also, use -Aa -D_HPUX_SOURCE instead of -Ae, which
isn't supported on all compilers.
UXPDS: compilation fixes from Diego R. Lopez.
CONFIG: FAX mailer wasn't setting .FAX as a pseudo-domain unless
you also had a FAX_RELAY. From Thomas.Tornblom@Hax.SE.
CONFIG: Minor glitch in S21 -- attachment of local domain name
didn't have trailing dot. From Jim Hickstein of Teradyne.
CONFIG: Fix best_mx_is_local feature to allow nested addresses such as
user%host@thishost. From Claude Scarpelli of Infobiogen
(France).
CONFIG: OSTYPE(hpux10) failed to define the location of the help file.
Pointed out by Hannu Martikka of Nokia Telecommunications.
CONFIG: Diagnose some inappropriate ordering in configuration files,
such as FEATURE(smrsh) listed after MAILER(local). Based on
a bug report submitted by Paul Hoffman of Proper Publishing.
CONFIG: Make OSTYPE files consistently not override settings that
have already been set. Previously it worked differently
for different files.
CONFIG: Change relay mailer to do masquerading like 8.6 did. My take
is that this is wrong, but the change was causing problems
for some people. From Per Hedeland of Ericsson.
CONTRIB: bitdomain.c patch from John Gardiner Myers <jgm+@CMU.EDU>;
portability changes for Posix environments (no functional
changes).
8.7.1/8.7.1 95/10/01
Old macros that have become options (SmtpGreetingMessage,
OperatorChars, and UnixFromLine) didn't allow backslash
escapes in the options, where they previously had. Bug
pointed out by John Hawkinson of MIT.
Fix strange case of an executable called by a program map that
returns a value but also a non-zero exit status; this
would give contradictory results in the higher level; in
particular, the default clause in the map lookup would be
ignored. Change to ignore the value if the program returns
non-zero exit status. From Tom Moore of AT&T GIS.
Shorten parameters passed to syslog() in some contexts to avoid a
bug in many vendors' implementations of that routine. Although
this isn't really a bug in sendmail per se, and my solution
has to assume that syslog() has at least a 1K buffer size
internally (I know some vendors have shortened this
dramatically -- they're on their own), sendmail is a popular
target. Also, limit the size of %s arguments in sprintf.
These both have possible security implications. Solutions
suggested by Casper Dik of Sun's Network Security Group
(Holland), Mark Seiden, and others.
Fix a problem that might cause a non-standard -B (body type)
parameter to be passed to the next server with undefined
results. This could have security implications.
If a filesystem was at > 100% utilization, the freediskspace()
routine incorrectly returned an error rather than zero.
Problem noted by G. Paul Ziemba of Alantec.
Change MX sort order so that local hostnames (those in $=w) always
sort first within a given preference. This forces the bestmx
map to always return the local host first, if it is included
in the list of highest priority MX records. From K. Robert
Elz.
Avoid some possible null pointer dereferences. Fixes from Randy
Martin <WOLF@CLEMSON.EDU>
When sendmail starts up on systems that have no fully qualified
domain name (FQDN) anywhere in the first matching host map
(e.g., /etc/hosts if the hosts service searches "files dns"),
sendmail would sleep to try to find a FQDN, which it really
really needs. This has been changed to fall through to the
next map type if it can't find a FQDN -- i.e., if the hosts
file doesn't have a FQDN, it will try dns even though the
short name was found in /etc/hosts. This is probably a crock,
but many people have hosts files without FQDNs. Remember:
domain names are your friends.
Log a high-priority message if you can't find your FQDN during startup.
Suggested by Simon Barnes of Schlumberger Limited.
When using Hesiod, initialize it early to improve error reporting.
Patch from Don Lewis of Silicon Systems, Inc.
Apparently at least some versions of Linux have a 90 !minute! TCP
connection timeout in the kernel. Add a new "connect" timeout
to limit this time. Defaults to zero (use whatever the
kernel provides). Based on code contributed by J.R. Oldroyd
of TerraNet.
Under some circumstances, a failed message would not be properly
removed from the queue, causing tons of bogus error messages.
(This fix eliminates the problematic EF_KEEPQUEUE flag.)
Problem noted by Allan E Johannesen and Gregory Neil Shapiro
of WPI.
PORTABILITY FIXES:
On IRIX 5.x, there was an inconsistency in the setting
of sendmail.st location. Change the Makefile to
install it in /var/sendmail.st to match the OSTYPE
file and SGI standards. From Andre
<andre@curry.zfe.siemens.de>.
Support for Fujitsu/ICL UXP/DS (For the DS/90 Series)
from Diego R. Lopez <drlopez@cica.es>.
Linux compilation patches from J.R. Oldroyd of TerraNet, Inc.
LUNA 2 Mach patches from Motonori Nakamura.
SunOS Makefile was including -ldbm, which is for the old
dbm library. The ndbm library is part of libc.
CONFIG: avoid bouncing ``user@host.'' (note trailing dot) with
``local configuration error'' in nullclient configuration.
Patch from Gregory Neil Shapiro of WPI.
CONFIG: don't allow an alias file in nullclient configurations --
since all addresses are relayed, they give errors during
rebuild. Suggested by Per Hedeland of Ericsson.
CONFIG: local mailer on Solaris 2 should always get a -f flag because
otherwise the F=S causes the From_ line to imply that root is
the sender. Problem pointed out by Claude Scarpelli of
Infobiogen (France).
NEW FILES:
cf/feature/use_ct_file.m4 (omitted from 8.7 by mistake)
src/Makefiles/Makefile.KSR (omitted from 8.7 by mistake)
src/Makefiles/Makefile.UXPDS
8.7/8.7 95/09/16
Fix a problem that could cause sendmail to run out of file
descriptors due to a trashed data structure after a
vfork. Fix from Brian Coan of the Institute for
Global Communications.
Change the VRFY response if you have disabled VRFY -- some
people seemed to think that it was too rude.
Avoid reference to uninitialized file descriptor if HASFLOCK
was not defined. This was used "safely" in the sense
that it only did a stat, but it would have set the
map modification time improperly. Problem pointed out
by Roy Mongiovi of Georgia Tech.
Clean up the Subject: line on warning messages and return
receipts so that they don't say "Returned mail:"; this
can be confusing.
Move ruleset entry/exit debugging from 21.2 to 21.1 -- this is
useful enough to make it worthwhile printing on "-d".
Avoid logging alias statistics every time you read the alias
file on systems with no database method compiled in.
If you have a name with a trailing dot, and you try looking it
up using gethostbyname without the dot (for /etc/hosts
compatibility), be sure to turn off RES_DEFNAMES and
RES_DNSRCH to avoid finding the wrong name accidentally.
Problem noted by Charles Amos of the University of
Maryland.
Don't do timeouts in collect if you are not running SMTP.
There is nothing that says you can't have a long
running program piped into sendmail (possibly via
/bin/mail, which just execs sendmail). Problem reported
by Don "Truck" Lewis of Silicon Systems.
Try gethostbyname() even if the DNS lookup fails iff option I
is not set. This allows you to have hosts listed in
NIS or /etc/hosts that are not known to DNS. It's normally
a bad idea, but can be useful on firewall machines. This
should really be broken out on a separate flag, I suppose.
Avoid compile warnings against BIND 4.9.3, which uses function
prototypes. From Don Lewis of Silicon Systems.
Avoid possible incorrect diagnosis of DNS-related errors caused
by things like attempts to resolve uucp names using
$[ ... $] -- the fix is to clear h_errno at appropriate
times. From Kyle Jones of UUNET.
SECURITY: avoid denial-of-service attacks possible by destroying
the alias database file by setting resource limits low.
This involves adding two new compile-time options:
HASSETRLIMIT (indicating that setrlimit(2) support is
available) and HASULIMIT (indicating that ulimit(2) support
is available -- the Release 3 form is used). The former
is assumed on BSD-based systems, the latter on System
V-based systems. Attack noted by Phil Brandenberger of
Swarthmore University.
New syntaxes in test (-bt) mode:
``.Dmvalue'' will define macro "m" to "value".
``.Ccvalue'' will add "value" to class "c".
``=Sruleset'' will dump the contents of the indicated
ruleset.
``=M'' will display the known mailers.
``-ddebug-spec'' is equivalent to the command-line
-d debug flag.
``$m'' will print the value of macro $m.
``$=c'' will print the contents of class $=c.
``/mx host'' returns the MX records for ``host''.
``/parse address'' will parse address, returning the value of
crackaddr (essentially, the comment information)
and the parsed address.
``/try mailer address'' will rewrite address into the form
it will have when presented to the indicated mailer.
``/tryflags flags'' will set flags used by parsing. The
flags can be `H' for header or `E' for envelope,
and `S' for sender or `R' for recipient. These
can be combined, so `HR' sets flags for header
recipients.
``/canon hostname'' will try to canonify hostname and
return the result.
``/map mapname key'' will look up `key' in the indicated
`mapname' and return the result.
Somewhat better handling of UNIX-domain socket addresses -- it
should show the pathname rather than hex bytes.
Restore ``-ba'' mode -- this reads a file from stdin and parses
the header for envelope sender information and uses
CR-LF as message terminators. It was thought to be
obsolete (used only for Arpanet NCP protocols), but it
turns out that the UK ``Grey Book'' protocols require
that functionality.
Fix a fix in previous release -- if gethostname and gethostbyname
return a name without dots, and if an attempt to canonify
that name fails, wait one minute and try again. This can
result in an extra 60 second delay on startup if your system
hostname (as returned by hostname(1)) has no dot and no names
listed in /etc/hosts or your NIS map have a dot.
Check for proper domain name on HELO and EHLO commands per
RFC 1123 section 5.2.5. Problem noted by Thomas Dwyer III
of Michigan Technological University.
Relax chownsafe rules slightly -- old version said that if you
can't tell if _POSIX_CHOWN_RESTRICTED is set (that is,
if fpathconf returned EINVAL or ENOSYS), assume that
chown is not safe. The new version falls back to whether
you are on a BSD system or not. This is important for
SunOS, which apparently always returns one of those
error codes. This impacts whether you can mail to files
or not.
Syntax errors such as unbalanced parentheses in the configuration
file could be omitted if you had "Oem" prior to the
syntax error in the config file. Change to always print
the error message. It was especially weird because it
would cause a "warning" message to be sent to the Postmaster
for every message sent (but with no transcript). Problem
noted by Gregory Paris of Motorola.
Rewrite collect and putbody to handle full 8-bit data, including
zero bytes. These changes are internally extensive, but
should have minimal impact on external function.
Allow full words for option names -- if the option letter is
(apparently) a space, then take the word following -- e.g.,
O MatchGECOS=TRUE
The full list of old and new names is as follows:
7 SevenBitInput
8 EightBitMode
A AliasFile
a AliasWait
B BlankSub
b MinFreeBlocks/MaxMessageSize
C CheckpointInterval
c HoldExpensive
D AutoRebuildAliases
d DeliveryMode
E ErrorHeader
e ErrorMode
f SaveFromLine
F TempFileMode
G MatchGECOS
H HelpFile
h MaxHopCount
i IgnoreDots
I ResolverOptions
J ForwardPath
j SendMimeErrors
k ConnectionCacheSize
K ConnectionCacheTimeout
L LogLevel
l UseErrorsTo
m MeToo
n CheckAliases
O DaemonPortOptions
o OldStyleHeaders
P PostmasterCopy
p PrivacyOptions
Q QueueDirectory
q QueueFactor
R DontPruneRoutes
r, T Timeout
S StatusFile
s SuperSafe
t TimeZoneSpec
u DefaultUser
U UserDatabaseSpec
V FallbackMXHost
v Verbose
w TryNullMXList
x QueueLA
X RefuseLA
Y ForkEachJob
y RecipientFactor
z ClassFactor
Z RetryFactor
The old macros that passed information into sendmail have
been changed to options; those correspondences are:
$e SmtpGreetingMessage
$l UnixFromLine
$o OperatorChars
$q (deleted -- not necessary)
To avoid possible problems with an older sendmail,
configuration level 6 is accepted by this version of
sendmail; any config file using the new names should
specify "V6" in the configuration.
Change address parsing to properly note that a phrase before a
colon and a trailing semicolon are essentially the same
as text outside of angle brackets (i.e., sendmail should
treat them as comments). This is to handle the
``group name: addr1, addr2, ..., addrN;'' syntax (it will
assume that ``group name:'' is a comment on the first
address and the ``;'' is a comment on the last address).
This requires config file support to get right. It does
understand that :: is NOT this syntax, and can be turned
off completely by setting the ColonOkInAddresses option.
Level 6 config files added with new mailer flags:
A Addresses are aliasable.
i Do udb rewriting on envelope as well as header
sender lines. Applies to the from address mailer
flags rather than the recipient mailer flags.
j Do udb rewriting on header recipient addresses.
Applies to the sender mailer flags rather than the
recipient mailer flags.
k Disable check for loops when doing HELO command.
o Always run as the mail recipient, even on local
delivery.
w Check for an /etc/passwd entry for this user.
5 Pass addresses through ruleset 5.
: Check for :include: on this address.
| Check for |program on this address.
/ Check for /file on this address.
@ Look up sender header addresses in the user
database. Applies to the mailer flags for the
mailer corresponding to the envelope sender
address, rather than to recipient mailer flags.
Pre-level 6 configuration files set A, w, 5, :, |, /, and @
on the "local" mailer, the o flag on the "prog" and "*file*"
mailers, and the ColonOkInAddresses option.
Eight-to-seven bit MIME conversions. This borrows ideas from
John Beck of Hewlett-Packard, who generously contributed
their implementation to me, which I then didn't use (see
mime.c for an explanation of why). This adds the
EightBitMode option (a.k.a. `8') and an F=8 mailer flag
to control handling of 8-bit data. These have to cope with
two types of 8-bit data: unlabelled 8-bit data (that is,
8-bit data that is entered without declaring it as 8-bit
MIME -- technically this is illegal according to the
specs) and labelled 8-bit data (that is, it was declared
as 8BITMIME in the ESMTP session or by using the
-B8BITMIME command line flag). If the F=8 mailer flag is
set then 8-bit data is sent to non-8BITMIME machines
instead of converting to 7 bit (essentially using
just-send-8 semantics). The values for EightBitMode are:
m convert unlabelled 8-bit input to 8BITMIME, and do
any necessary conversion of 8BITMIME to 7BIT
(essentially, the full MIME option).
p pass unlabelled 8-bit input, but convert labelled
8BITMIME input to 7BIT as required (default).
s strict adherence: reject unlabelled 8-bit input,
convert 8BITMIME to 7BIT as required. The F=8
flag is ignored.
Unlabelled 8-bit data is rejected in mode `s' regardless of
the setting of F=8.
Add new internal class 'n', which is the set of MIME Content-Types
which can not be 8 to 7 bit encoded because of other
considerations. Types "multipart/*" and "message/*" are
never directly encoded (although their components can be).
Add new internal class 's', which is the set of subtypes of the
MIME message/* content type that can be treated as though
they are an RFC822 message. It is predefined to have
"rfc822". Suggested By Kari Hurtta.
Add new internal class 'e'. This is the set of MIME
Content-Transfer-Encodings that can be converted to
a seven bit format (Quoted-Printable or Base64). It is
preinitialized to contain "7bit", "8bit", and "binary".
Add C=charset mailer parameter and the the DefaultCharSet option (no
short name) to set the default character set to use in the
Content-Type: header when doing encoding of an 8-bit message
which isn't marked as MIME into MIME format. If the C=
parameter is set on the Envelope From address, use that as
the default encoding; else use the DefaultCharSet option.
If neither is set, it defaults to "unknown-8bit" as
suggested by RFC 1428 section 3.
Allow ``U=user:group'' field in mailer definition to set a default
user and group that a mailer will be executed as. This
overrides the 'u' and 'g' options, and if the `F=S' flag is
also set, it is the uid/gid that will always be used (that
is, the controlling address is ignored). The values may be
numeric or symbolic; if only a symbolic user is given (no
group) that user's default group in the passwd file is used
as the group. Based on code donated by Chip Rosenthal of
Unicom.
Allow `u' option to also accept user:group as a value, in the same
fashion as the U= mailer option.
Add the symbolic time zone name in the Arpanet format dates (as
a comment). This adds a new compile-time configuration
flag: TZ_TYPE can be set to TZ_TM_NAME (use the value
of (struct tm *)->tm_name), TZ_TM_ZONE (use the value
of (struct tm *)->tm_zone), TZ_TZNAME (use extern char
*tzname[(struct tm *)->tm_isdst]), TZ_TIMEZONE (use
timezone()), or TZ_NONE (don't include the comment). Code
from Chip Rosenthal.
The "Timeout" option (formerly "r") is extended to allow suboptions.
For example,
O Timeout.helo = 2m
There are also two new suboptions "queuereturn" and
"queuewarn"; these subsume the old T option. Thus, to
set them both the preferred new syntax is
O Timeout.queuereturn = 5d
O Timeout.queuewarn = 4h
Sort queue by host name instead of by message priority if the
QueueSortOrder option (no short name) is set is set to
``host''. This makes better use of the connection cache,
but may delay more ``interactive'' messages behind large
backlogs under some circumstances. This is probably a
good option if you have high speed links or don't do lots
of ``batch'' messages, but less good if you are using
something like PPP on a 14.4 modem. Based on code
contributed by Roy Mongiovi of Georgia Tech (my main
contribution was to make it configurable).
Save i-number of df file in qf file to simplify rebuilding of queue
after disastrous disk crash. Suggested by Kyle Jones of
UUNET; closely based on code from KJS DECWRL code written
by Paul Vixie. NOTA BENE: The qf files produced by 8.7
are NOT back compatible with 8.6 -- that is, you can convert
from 8.6 to 8.7, but not the other direction.
Add ``F=d'' mailer flag to disable all use of angle brackets in
route-addrs in envelopes; this is because in some cases
they can be sent to the shell, which interprets them as
I/O redirection.
Don't include error file (option E) with return-receipts; this
can be confusing.
Don't send "Warning: cannot send" messages to owner-* or
*-request addresses. Suggested by Christophe Wolfhugel
of the Institut Pasteur, Paris.
Allow -O command line flag to set long form options.
Add "MinQueueAge" option to set the minimum time between attempts
to run the queue. For example, if the queue interval
(-q value) is five minutes, but the minimum queue age
is fifteen minutes, jobs won't be tried more often than
once every fifteen minutes. This can be used to give
you more responsiveness if your delivery mode is set to
queue-only.
Allow "fileopen" timeout (default: 60 seconds) for opening
:include: and .forward files.
Add "-k", "-v", and "-z" flags to map definitions; these set the
key field name, the value field name, and the field
delimiter. The field delimiter can be a single character
or the sequence "\t" or "\n" for tab or newline.
These are for use by NIS+ and similar access methods.
Change maps to always strip quotes before lookups; the -q flag
turns off this behavior. Suggested by Motonori Nakamura.
Add "nisplus" map class. Takes -k and -v flags to choose the
key and value field names respectively. Code donated by
Sun Microsystems.
Add "hesiod" map class. The "file name" is used as the
"HesiodNameType" parameter to hes_resolve(3). Returns the
first value found for the match. Code donated by Scott
Hutton of Indiana University.
Add "netinfo" (NeXT NetInfo) map class. Maps can have a -k flag to
specify the name of the property that is searched as the
key and a -v flag to specify the name of the property that
is returned as the value (defaults to "members"). The
default map is "/aliases". Some code based on code
contributed by Robert La Ferla of Hot Software.
Add "text" map class. This does slow, linear searches through
text files. The -z flag specifies a column delimiter
(defaults to any sequence of white space), the -k flag
sets the key column number, and the -v flag sets the
value column number. Lines beginning with `#' are treated
as comments.
Add "program" map class to execute arbitrary programs. The search
key is presented as the last argument; the output is one
line read from the programs standard output. Exit statuses
are from sysexits.h.
Add "sequence" map class -- searches maps in sequence until it
finds a match. For example, the declarations:
Kmap1 ...
Kmap2 ...
Kmapseq sequence map1 map2
defines a map "mapseq" that first searches map1; if the
value is found it is returned immediately, otherwise
map2 is searched and the value returned.
Add "switch" map class. This is much like "sequence" except that
the ordering is fetched from an external file, usually
the system service switch. The parameter is the name of
the service to switch on, and the maps that it will use
are the name of the switch map followed by ".service_type".
For example, if the declaration of the map is
Ksample switch hosts
and the system service switch specifies that hosts are
looked up using dns and nis in that order, then this is
equivalent to
Ksample sequence sample.dns sample.nis
The subordinate maps (sample.*) must already be defined.
Add "user" map class -- looks up users using getpwnam. Takes a
"-v field" flag on the definition that tells what passwd
entry to return -- legal values are name, passwd, uid, gid,
gecos, dir, and shell. Generally expected to be used with
the -m (matchonly) flag.
Add "bestmx" map class -- returns the best MX value for the host
listed as the value. If there are several "best" MX records
for this host, one will be chosen at random.
Add "userdb" map class -- looks up entries in the user database.
The "file name" is actually the tag that will be used,
typically "mailname". If there are multiple entries
matching the name, the one chosen is undefined.
Add multiple queue timeouts (both return and warning). These are
set by the Precedence: or Priority: header fields to one of
three values. If a Priority: is set and has value "normal",
"urgent", or "non-urgent" the corresponding timeouts are
used. If no priority is set, the Precedence: is consulted;
if negative, non-urgent timeouts are used; if greater than
zero, urgent timeouts are used. Otherwise, normal timeouts
are used. The timeouts are set by setting the six timeouts
queue{warn,return}.{urgent,normal,non-urgent}.
Fix problem when a mail address is resolved to a $#error mailer
with a temporary failure indication; it works in SMTP,
but when delivering locally the mail is silently discarded.
This patch, from Kyle Jones of UUNET, bounces it instead
of queueing it (queueing is very hard).
When using /etc/hosts or NIS-style lookups, don't assume that
the first name in the list is the best one -- instead,
search for the first one with a dot. For example, if
an /etc/hosts entry reads
128.32.149.68 mammoth mammoth.CS.Berkeley.EDU
this change will use the second name as the canonical
machine name instead of the initial, unqualified name.
Change dequote map to replace spaces in quoted text with a value
indicated by the -s flag on the dequote map definition.
For example, ``Mdequote dequote -s_'' will change
"Foo Bar" into an unquoted Foo_Bar instead of leaving it
quoted (because of the space character). Suggested by Dan
Oscarsson for use in X.400 addresses.
Implement long macro names as ${name}; long class names can
be similarly referenced as $={name} and $~{name}.
Definitions are (e.g.) ``D{name}value''. Names that have
a leading lower case letter or punctuation characters are
reserved for internal use by sendmail; i.e., config files
should use names that begin with a capital letter. Based
on code contributed by Dan Oscarsson.
Fix core dump if getgrgid returns a null group list (as opposed
to an empty group list, that is, a pointer to a list
with no members). Fix from Andrew Chang of Sun Microsystems.
Fix possible core dump if malloc fails -- if the malloc in xalloc
failed, it called syserr which called newstr which called
xalloc.... The newstr is now avoided for "panic" messages.
Reported by Stuart Kemp of James Cook University.
Improve connection cache timeouts; previously, they were not even
checked if you were delivering to anything other than an
IPC-connected host, so a series of (say) local mail
deliveries could cause cached connections to be open
much longer than the specified timeout.
If an incoming message exceeds the maximum message size, stop
writing the incoming bytes to the queue data file, since
this can fill your mqueue partition -- this is a possible
denial-of-service attack.
Don't reject all numeric local user names unless HESIOD is
defined. It turns out that Posix allows all-numeric
user names. Fix from Tony Sanders of BSDI.
Add service switch support. If the local OS has a service
switch (e.g., /etc/nsswitch.conf on Solaris or /etc/svc.conf
on DEC systems) that will be used; otherwise, it falls back
to using a local mechanism based on the ServiceSwitchFile
option (default: /etc/service.switch). For example, if the
service switch lists "files" and "nis" for the aliases
service, that will be the default lookup order. the "files"
("local" on DEC) service type expands to any alias files
you listed in the configuration file, even if they aren't
actually file lookups.
Option I (NameServerOptions) no longer sets the "UseNameServer"
variable which tells whether or not DNS should be considered
canonical. This is now determined based on whether or not
"dns" is in the service list for "hosts".
Add preliminary support for the ESMTP "DSN" extension (Delivery
Status Notifications). DSN notifications override
Return-Receipt-To: headers, which are bogus anyhow --
support for them has been removed.
Add T=mts-name-type/address-type/diagnostic-type keyletter to mailer
definitions to define the types used in DSN returns for
MTA names, addresses, and diagnostics respectively.
Extend heuristic to force running in ESMTP mode to look for the
five-character string "ESMTP" anywhere in the 220 greeting
message (not just the second line). This is to provide
better compatibility with other ESMTP servers.
Print sequence number of job when running the queue so you can
easily see how much progress you have made. Suggested
by Peter Wemm of DIALix.
Map newlines to spaces in logged message-ids; some versions of
syslog truncate the rest of the line after newlines.
Suggested by Fletcher Mattox of U. Texas.
Move up forking for job runs so that if a message is split into
multiple envelopes you don't get "fork storms" -- this
also improves the connection cache utilization.
Accept "<<>>", "<<<>>>", and so forth as equivalent to "<>" for
the purposes of refusing to send error returns. Suggested
by Motonori Nakamura of Ritsumeikan University.
Relax rules on when a file can be written when referenced from
the aliases file: use the default uid/gid instead of the
real uid/gid. This allows you to create a file owned by
and writable only by the default uid/gid that will work
all the time (without having the setuid bit set). Change
suggested by Shau-Ping Lo and Andrew Cheng of Sun
Microsystems.
Add "DialDelay" option (no short name) to provide an "extra"
delay for dial on demand systems. If this is non-zero
and a connect fails, sendmail will wait this long and
then try again. If it takes longer than the kernel
timeout interval to establish the connection, this
option can give the network software time to establish
the link. The default units are seconds.
Move logging of sender information to be as early as possible;
previously, it could be delayed a while for SMTP mail
sent to aliases. Suggested by Brad Knowles of the
Defense Information Systems Agency.
Call res_init() before setting RES_DEBUG; this is required by
BIND 4.9.3, or so I'm told. From Douglas Anderson of
the National Computer Security Center.
Add xdelay= field in logs -- this is a transaction delay, telling
you how long it took to deliver to this address on the
last try. It is intended to be used for sorting mailing
lists to favor "quick" addresses. Provided for use by
the mailprio scripts (see below).
If a map cannot be opened, and that map is non-optional, and
an address requires that map for resolution, queue the
map instead of bouncing it. This involves creating a
pseudo-class of maps called "bogus-map" -- if a required
map cannot be opened, the class is changed to bogus-map;
all queries against bogus-map return "tempfail". The
bogus-map class is not directly accessible. A sample
implementation was donated by Jem Taylor of Glasgow
University Computing Service.
Fix a possible core dump when mailing to a program that talks
SMTP on its standard input. Fix from Keith Moore of
the University of Kentucky.
Make it possible to resolve filenames to $#local $: @ /filename;
previously, the "@" would cause it to not be recognized
as a file. Problem noted by Brian Hill of U.C. Davis.
Accept a -1 signal to re-exec the daemon. This only works if
argv[0] is a full path to sendmail.
Fix bug in "addr=..." field in O option on little-endian machines
-- the network number wasn't being converted to network
byte order. Patch from Kurt Lidl of Pix Technologies
Corporation.
Pre-initialize the resolver early on; this is to avoid a bug with
BIND 4.9.3 that can cause the _res.retry field to get
reset to zero, causing all name server lookups to time
out. Fix from Matt Day of Artisoft.
Restore T line (trusted users) in config file -- but instead of
locking out the -f flag, they just tell whether or not
an X-Authentication-Warning: will be added. This really
just creates new entries in class 't', so "Ft/file/name"
can be used to read trusted user names from a file.
Trusted users are also allowed to execute programs even
if they have a shell that isn't in /etc/shells.
Improve NEWDB alias file rebuilding so it will create them
properly if they do not already exist. This had been
a MAYBENEXTRELEASE feature in 8.6.9.
Check for @:@ entry in NIS maps before starting up to avoid
(but not prevent, sigh) race conditions. This ought to
be handled properly in ypserv, but isn't. Suggested by
Michael Beirne of Motorola.
Refuse connections if there isn't enough space on the filesystem
holding the queue. Contributed by Robert Dana of Wolf
Communications.
Skip checking for directory permissions in the path to a file
when checking for file permissions iff setreuid()
succeeded -- it is unnecessary in that case. This avoids
significant performance problems when looking for .forward
files. Based on a suggestion by Win Bent of USC.
Allow symbolic ruleset names. Syntax can be "Sname" to get an
arbitrary ruleset number assigned or "Sname = integer"
to assign a specific ruleset number. Reference is
$>name_or_number. Names can be composed of alphas, digits,
underscore, or hyphen (first character must be non-numeric).
Allow -o flag on AliasFile lines to make the alias file optional.
From Bryan Costales of ICSI.
Add NoRecipientAction option to handle the case where there is
no legal recipient header in the message. It can take
on values:
None Leave the message as is. The
message will be passed on even
though it is in technically
illegal syntax.
Add-To Add a To: header with any
recipients that it can find from
the envelope. This risks exposing
Bcc: recipients.
Add-Apparently-To Add an Apparently-To: header. This
has almost no redeeming social value,
and is provided only for back
compatibility.
Add-To-Undisclosed Add a header reading
To: undisclosed-recipients:;
which will have the effect of
making the message legal without
exposing Bcc: recipients.
Add-Bcc To add an empty Bcc: header.
There is a chance that mailers down
the line will delete this header,
which could cause exposure of Bcc:
recipients.
The default is NoRecipientAction=None.
Truncate (rather than delete) Bcc: lines in the header. This
should prevent later sendmails (at least, those that don't
themselves delete Bcc:) from considering this message to
be non-conforming -- although it does imply that non-blind
recipients can see that a Bcc: was sent, albeit not to whom.
Add SafeFileEnvironment option. If declared, files named as delivery
targets must be regular files in addition to the regular
checks. Also, if the option is non-null then it is used as
the name of a directory that is used as a chroot(2)
environment for the delivery; the file names listed in an
alias or forward should include the name of this root.
For example, if you run with
O SafeFileEnvironment=/arch
then aliases should reference "/arch/rest/of/path". If a
value is given, sendmail also won't try to save to
/usr/tmp/dead.letter (instead it just leaves the job in the
queue as Qfxxxxxx). Inspired by *Hobbit*'s sendmail patch kit.
Support -A flag for alias files; this will comma concatenate like
entries. For example, given the aliases:
list: member1
list: member2
and an alias file declared as:
OAhash:-A /etc/aliases
the final alias inserted will be "list: member1,member2";
without -A you will get an error on the second and subsequent
alias for "list". Contributed by Bryan Costales of ICSI.
Line-buffer transcript file. Suggested by Liudvikas Bukys.
Fix a problem that could cause very long addresses to core dump in
some special circumstances. Problem pointed out by Allan
Johannesen.
(Internal change.) Change interface to expand() (macro expansion)
to be simpler and more consistent.
Delete check for funny qf file names. This didn't really give
any extra security and caused some people some problems.
(If you -really- want this, define PICKY_QF_NAME_CHECK
at compile time.) Suggested by Kyle Jones of UUNET.
(Internal change.) Change EF_NORETURN to EF_NO_BODY_RETN and
merge with DSN code; this is simpler and more consistent.
This may affect some people who have written their own
checkcompat() routine.
(Internal change.) Eliminate `D' line in qf file. The df file
is now assumed to be the same name as the qf file (with
the `q' changed to a `d', of course).
Avoid forking for delivery if all recipient mailers are marked as
"expensive" -- this can be a major cost on some systems.
Essentially, this forces sendmail into "queue only" mode
if all it is going to do is queue anyway.
Avoid sending a null message in some rather unusual circumstances
(specifically, the RCPT command returns a temporary
failure but the connection is lost before the DATA
command). Fix from Scott Hammond of Secure Computing
Corporation.
Change makesendmail to use a somewhat more rational naming scheme:
Makefiles and obj directories are named $os.$rel.$arch,
where $os is the operating system (e.g., SunOS), $rel is
the release number (e.g., 5.3), and $arch is the machine
architecture (e.g., sun4). Any of these can be omitted,
and anything after the first dot in a release number can
be replaced with "x" (e.g., SunOS.4.x.sun4). The previous
version used $os.$arch.$rel and was rather less general.
Change makesendmail to do a "make depend" in the target directory
when it is being created. This involves adding an empty
"depend:" entry in most Makefiles.
Ignore IDENT return value if the OSTYPE field returns "OTHER",
as indicated by RFC 1413. Pointed out by Kari Hurtta
of the Finnish Meteorological Institute.
Fix problem that could cause multiple responses to DATA command
on header syntax errors (e.g., lines beginning with colons).
Problem noted by Jens Thomassen of the University of Oslo.
Don't let null bytes in headers cause truncation of the rest of
the header.
Log Authentication-Warning:s. Suggested by Motonori Nakamura.
Increase timeouts on message data puts to allow time for receivers
to canonify addresses in headers on the fly. This is still
a rather ugly heuristic. From Motonori Nakamura.
Add "HasWildcardMX" suboption to ResolverOptions; if set, MX
records are not used when canonifying names, and when MX
lookups are done for addressing they must be fully
qualified. This is useful if you have a wildcard MX record,
although it may cause other problems. In general, don't use
wildcard MX records. Patch from Motonori Nakamura.
Eliminate default two-line SMTP greeting message. Instead of
adding an extra "ESMTP spoken here" line, the word "ESMTP"
is added between the first and second word of the first
line of the greeting message (i.e., immediately after the
host name). This eliminates the need for the BROKEN_SMTP_PEERS
compile flag. Old sendmails won't see the ESMTP, but that's
acceptable because SIZE was the only useful extension that
old sendmails understand.
Avoid gethostbyname calls on UNIX domain sockets during SIGUSR1
invoked state dumps. From Masaharu Onishi.
Allow on-line comments in .forward and :include: files; they are
introduced by the string "<LWSP>#@#<LWSP>", where <LWSP>
is a space or a tab. This is intended for native
representation of non-ASCII sets such as Japanese, where
existing encodings would be unreadable or would lose
data -- for example,
<motonori@cs.ritsumei.ac.jp> NAKAMURA Motonori
(romanized/less information)
<motonori@cs.ritsumei.ac.jp> =?ISO-2022-JP?B?GyRCQ2ZCPBsoQg==?=
=?ISO-2022-JP?B?GyRCQUdFNRsoQg==?=
(with MIME encoding, not human readable)
<motonori@cs.ritsumei.ac.jp> #@# ^[$BCfB<^[(B ^[$BAGE5^[(B
(native encoding with ISO-2022-JP)
The last form is human readable in the Japanese environment.
Based on a fix from (surprise!) Motonori Nakamura.
Don't make SMTP error returns on MAIL FROM: line be "sticky" for all
messages to that host; these are most frequently associated
with addresses rather than the host, with the exception of
421 (service shutting down). The effect was to cause queues
to sometimes take an excessive time to flush. Reported by
Robert Sargent of Southern Geographics Technologies and
Eric Prestemon of American University.
Add Nice=N mailer option to set the niceness at which a mailer will
run. This is actually a relative niceness (that is, an
increment on the background value).
Log queue runs that are skipped due to high loads. They are logged
at LOG_INFO priority iff the log level is > 8. Contributed
by Bruce Nagel of Data General.
Allow the error mailer to accept a DSN-style error status code
instead of an sysexits status code in the host part.
Anything with a dot will be interpreted as a DSN-style code.
Add new mailer flag: F=3 will tell translations to Quoted-Printable
to encode characters that might be munged by an EBCDIC system
in addition to the set required by RFC 1521. The additional
characters are !, ", #, $, @, [, \, ], ^, `, {, |, }, and ~.
(Think of "IBM 360" as the mnemonic for this flag.)
Change check for mailing to files to look for a pathname of [FILE]
rather than looking for the mailer named *file*. The mapping
of leading slashes still goes to the *file* mailer. This
allows you to implement the *file* mailer as a separate
program, for example, to insert a Content-Length: header
or do special security policy. However, note that the usual
initial checking for the file permissions is still done, and
the program in question needs to be very careful about how
it does the file write to avoid security problems.
Be able to read ~root/.forward even if the path isn't accessible to
regular users. This is disrecommended because sendmail
sometimes does not run as root (e.g., when an unsafe option
is specified on the command line), but should otherwise be
safe because .forward files must be owned by the user for
whom mail is being forwarded, and cannot be a symbolic link.
Suggested by Forrest Aldrich of Wang Laboratories.
Add new "HostsFile" option that is the pathname to the /etc/hosts
file. This is used for canonifying hostnames when the
service type is "files".
Implement programs on F (read class from file) line. The syntax is
Fc|/path/to/program to read the output from the program
into class "c".
Probe the network interfaces to find alternate names for this
host. Requires the SIOCGIFCONF ioctl call. Code
contributed by SunSoft.
Add "E" configuration line to set or propagate environment
variables into children. "E<envar>" will propagate
the named variable from the environment when sendmail
was invoked into any children it calls; "E<envar>=<value>"
sets the named variable to the indicated value. Any
variables not explicitly named will not be in the child
environment. However, sendmail still forces an
"AGENT=sendmail" environment variable, in part to enforce
at least one environment variable, since many programs and
libraries die horribly if this is not guaranteed.
Change heuristic for rebuilding both NEWDB and NDBM versions of
alias databases -- new algorithm looks for the substring
"/yp/" in the file name. This is more portable and involves
less overhead. Suggested by Motonori Nakamura.
Dynamically allocate the queue work list so that you don't lose
jobs in large queue runs. The old QUEUESIZE compile parameter
is replaced by QUEUESEGSIZE (the unit of allocation, which
should not need to be changed) and the MaxQueueRunSize option,
which is the absolute maximum number of jobs that will ever
be handled in a single queue run. Based on code contributed
by Brian Coan of the Institute for Global Communications.
Log message when a message is dropped because it exceeds the maximum
message size. Suggested by Leo Bicknell of Virginia Tech.
Allow trusted users (those on a T line or in $=t) to use -bs without
an X-Authentication-Warning: added. Suggested by Mark Thomas
of Mark G. Thomas Consulting.
Announce state of compile flags on -d0.1 (-d0.10 throws in the
OS-dependent defines). The old semantic of -d0.1 to not
run the daemon in background has been moved to -d99.100,
and the old 52.5 flag (to avoid disconnect() from closing
all output files) has been moved to 52.100. This makes
things more consistent (flags below .100 don't change
semantics) and separates out the backgrounding so that
it doesn't happen automatically on other unrelated debugging
flags.
If -t is used but no addresses are found in the header, give an
error message rather than just doing nothing. Fix from
Motonori Nakamura.
On systems (like SunOS) where the effective gid is not necessarily
included in the group list returned by getgroups(), the
`restrictmailq' option could sometimes cause an authorized
user to not be able to use `mailq'. Fix from Charles Hannum
of MIT.
Allow symbolic service names for [IPC] mailers. Suggested by
Gerry Magennis of Logica International.
Add DontExpandCnames option to prevent $[ ... $] from expanding CNAMEs
when running DNS. For example, if the name FTP.Foo.ORG is
a CNAME for Cruft.Foo.ORG, then when sitting on a machine in
the Foo.ORG domain a lookup of "FTP" returns "Cruft.Foo.ORG"
if this option is not set, or "FTP.Foo.ORG" if it is set.
This is technically illegal under RFC 822 and 1123, but the
IETF is moving toward legalizing it. Note that turning on
this option is not sufficient to guarantee that a downstream
neighbor won't rewrite the address for you.
Add "-m" flag to makesendmail script -- this tells you what object
directory and Makefile it will use, but doesn't actually do
the make.
Do some additional checking on the contents of the qf file to try
to detect attacks against the qf file. In particular,
abort on any line beginning "From ", and add an "end of
file" line -- any data after that line is prohibited.
Always use /etc/sendmail.cf, regardless of the arbitrary vendor
choices. This can be overridden in the Makefile by using
either -DUSE_VENDOR_CF_PATH to get the vendor location
(to the extent that we know it) or by defining
_PATH_SENDMAILCF (which is a "hard override"). This allows
sendmail 8 to have more consistent installation instructions.
Allow macros on `K' line in config file. Suggested by Andrew Chang
of Sun Microsystems.
Improved symbol table hash function from Eric Wassenaar. This one
is at least 50% faster.
Fix problem that didn't notice that timeout on file open was a
transient error. Fix from Larry Parmelee of Cornell
University.
Allow comments (lines beginning with a `#') in files read for
classes. Suggested by Motonori Nakamura.
Make SIGINT (usually ^C) in test mode return to the prompt instead
of dropping out entirely. This makes testing some of the
name server lookups easier to deal with when there are
hung servers. From Motonori Nakamura.
Add new ${opMode} macro that is set to the current operation mode
(e.g., `s' for -bs, `t' for -bt, etc.). Suggested by
Claude Marinier <MARINIER@emp.ewd.dreo.dnd.ca>.
Add new delivery mode (Odd) that defers all map lookups to queue runs.
Kind of like queue-only mode (Odq) except it tries to avoid
any external service requests; for dial-on-demand hosts that
want to minimize DNS lookups when mail is being queued. For
this to work you will also have to make sure that gethostbyname
of your local host name does not do a DNS lookup.
Improved handling of "out of space" conditions from John Myers of
Carnegie Mellon.
Improved security for mailing to files on systems that have fchmod(2)
support.
Improve "cannot send message for N days" message -- now says "could
not send for past N days". Suggested by Tom Moore of AT&T
Global Information Solutions.
Less misleading Subject: line on messages sent to postmaster only.
From Motonori Nakamura.
Avoid duplicate error messages on bad command line flags. From
Motonori Nakamura.
Better error message for case where ruleset 0 falls off the end
or otherwise does not resolve to a canonical triple.
Fix a problem that could cause multiple bounce messages if a bad
address was sent along with a good address to an SMTP
site where that SMTP site returned a 4yz code in response
to the final dot of the data. Problem reported by David
James of British Telecom.
Add "volatile" declarations so that gcc -O2 will work. Patches
from Alexander Dupuy of System Management ARTS.
Delete duplicates in MX lists -- believe it or not, there are sites
that list the same host twice in an MX list. This deletion
only works on adjacent preferences, so an MX list that
had A=5, B=10, A=15 would leave both As, but one that had
A=5, A=10, B=15 would reduce to A, B. This is intentional,
just in case there is something weird I haven't thought of.
Suggested by Barry Shein of Software Tool & Die.
SECURITY: .forward files cannot be symbolic links. If they are,
a bad guy can read your private files.
PORTABILITY FIXES:
Solaris 2 from Rob McMahon <cudcv@csv.warwick.ac.uk>.
System V Release 4 from Motonori Nakamura of Ritsumeikan
University. This expands the disk size
checking to include all (?) SVR4 configurations.
System V Release 4 from Kimmo Suominen -- initgroups(3)
and setrlimit(2) are both available.
System V Release 4 from sob@sculley.ffg.com -- some versions
apparently "have EX_OK defined in other headerfiles."
Linux Makefile typo.
Linux getusershell(3) is broken in Slackware 2.0 --
from Andrew Pam of Xanadu Australia.
More Linux tweaking from John Kennedy of California State
University, Chico.
Cray changes from Eric Wassenaar: ``On Cray, shorts,
ints, and longs are all 64 bits, and all structs
are multiples of 64 bits. This means that the
sizeof operator returns only multiples of 8.
This requires adaptation of code that really
deals with 32 bit or 16 bit fields, such as IP
addresses or nameserver fields.''
DG/UX 5.4.3 from Mark T. Robinson <mtr@ornl.gov>. To
get the old behavior, use -DDGUX_5_4_2.
DG/UX hack: add _FORCE_MAIL_LOCAL_=yes environment
variable to fix bogus /bin/mail behavior.
Tandem NonStop-UX from Rick McCarty <mccarty@mpd.tandem.com>.
This also cleans up some System V Release 4 compile
problems.
Solaris 2: sendmail.cw file should be in /etc/mail to
match all the other configuration files. Fix
from Glenn Barry of Emory University.
Solaris 2.3: compile problem in conf.c. Fix from Alain
Nissen of the University of Liege, Belgium.
Ultrix: freespace calculation was incorrect. Fix from
Takashi Kizu of Osaka University.
SVR4: running in background gets a SIGTTOU because the
emulation code doesn't realize that "getpeername"
doesn't require reading the file. Fix from Peter
Wemm of DIALix.
Solaris 2.3: due to an apparent bug in the socket emulation
library, sockets can get into a "wedged" state where
they just return EPROTO; closing and re-opening the
socket clears the problem. Fix from Bob Manson
of Ohio State University.
Hitachi 3050R & 3050RX running HI-UX/WE2: portability
fixes from Akihiro Hashimoto ("Hash") of Chiba
University.
AIX changes to allow setproctitle to work from Rainer Sch<63>pf
of Zentrum f<>r Datenverarbeitung der Universit<69>t
Mainz.
AIX changes for load average from Ed Ravin of NASA/Goddard.
SCO Unix from Chip Rosenthal of Unicom (code was using the
wrong statfs call).
ANSI C fixes from Adam Glass (NetBSD project).
Stardent Titan/ANSI C fixes from Kate Hedstrom of Rutgers
University.
DG-UX fixes from Bruce Nagel of Data General.
IRIX64 updates from Mark Levinson of the University of
Rochester Medical Center.
Altos System V (``the first UNIX/XENIX merge the Altos
did for their Series 1000 & Series 2000 line;
their merged code was licensed back to AT&T and
Microsoft and became System V release 3.2'') from
Tim Rice <timr@crl.com>.
OSF/1 running on Intel Paragon from Jeff A. Earickson
<jeff@ssd.intel.com> of Intel Scalable Systems
Division.
Amdahl UTS System V 2.1.5 (SVr3-based) from Janet Jackson
<janet@dialix.oz.au>.
System V Release 4 (statvfs semantic fix) from Alain
Durand of I.M.A.G.
HP-UX 10.x multiprocessor load average changes from
Scott Hutton and Jeff Sumler of Indiana University.
Cray CSOS from Scott Bolte of Cray Computer Corporation.
Unicos 8.0 from Douglas K. Rand of the University of North
Dakota, Scientific Computing Center.
Solaris 2.4 fixes from Sanjay Dani of Dani Communications.
ConvexOS 11.0 from Christophe Wolfhugel.
IRIX 4.0.5 from David Ashton-Reader of CADcentre.
ISC UNIX from J. J. Bailey.
HP-UX 9.xx on the 8xx series machines from Remy Giraud
of Meteo France.
HP-UX configuration from Tom Lane <tgl@sss.pgh.pa.us>.
IRIX 5.2 and 5.3 from Kari E. Hurtta.
FreeBSD 2.0 from Mike Hickey of Federal Data Corporation.
Sony NEWS-OS 4.2.1R and 6.0.3 from Motonori Nakamura.
Omron LUNA unios-b, mach from Motonori Nakamura.
NEC EWS-UX/V 4.2 from Motonori Nakamura.
NeXT 2.1 from Bryan Costales.
AUX patch thanks to Mike Erwin of Apple Computer.
HP-UX 10.0 from John Beck of Hewlett-Packard.
Ultrix: allow -DBROKEN_RES_SEARCH=0 if you are using a
non-DEC resolver. Suggested by Allan Johannesen.
UnixWare 2.0 fixes from Petr Lampa of the Technical
University of Brno (Czech Republic).
KSR OS 1.2.2 support from Todd Miller of the University
of Colorado.
UX4800 support from Kazuhisa Shimizu of NEC.
MAKEMAP: allow -d flag to allow insertion of duplicate aliases
in type ``btree'' maps. The semantics of this are undefined
for regular maps, but it can be useful for the user database.
MAKEMAP: lock database file while rebuilding to avoid sendmail
lookups while the rebuild is going on. There is a race
condition between the open(... O_TRUNC ...) and the lock
on the file, but it should be quite small.
SMRSH: sendmail restricted shell added to the release. This can
be used as an alternative to /bin/sh for the "prog" mailer,
giving the local administrator more control over what
programs can be run from sendmail.
MAIL.LOCAL: add this local mailer to the tape. It is not really
part of the release proper, and isn't fully supported; in
particular, it does not run on System V based systems and
never will.
CONTRIB: a patch to rmail.c from Bill Gianopoulos of Raytheon
to allow rmail to compile on systems that don't have
function prototypes and systems that don't have snprintf.
CONTRIB: add the "mailprio" scripts that will help you sort mailing
lists by transaction delay times so that addresses that
respond quickly get sent first. This is to prevent very
sluggish servers from delaying other peoples' mail.
Contributed by Tony Sanders of BSDI.
CONTRIB: add the "bsdi.mc" file as contributed by Tony Sanders
of BSDI. This has a lot of comments to help people out.
CONFIG: Don't have .mc files include(../m4/cf.m4) -- instead,
put this on the m4 command line. On GNU m4 (which
supports the __file__ primitive) you can run m4 in an
arbitrary directory -- use either:
m4 ${CFDIR}/m4/cf.m4 config.mc > config.cf
or
m4 -I${CFDIR} m4/cf.m4 config.mc > config.cf
On other versions of m4 that don't support __file__, you
can use:
m4 -D_CF_DIR_=${CFDIR}/ ${CFDIR}/m4/cf.m4 ...
(Note the trailing slash on the _CF_DIR_ definition.)
Old versions of m4 will default to _CF_DIR_=.. for back
compatibility.
CONFIG: fix mail from <> so it will properly convert to
MAILER-DAEMON on local addresses.
CONFIG: fix code that was supposed to catch colons in host
names. Problem noted by John Gardiner Myers of CMU.
CONFIG: allow use of SMTP_MAILER_MAX in nullclient configuration.
From Paul Riddle of the University of Maryland, Baltimore
County.
CONFIG: Catch and reject "." as a host address.
CONFIG: Generalize domaintable to look up all domains, not
just unqualified ones.
CONFIG: Delete OLD_SENDMAIL support -- as near as I can tell, it
was never used and didn't work anyway.
CONFIG: Set flags A, w, 5, :, /, |, and @ on the "local" mailer
and d on all mailers in the UUCP class.
CONFIG: Allow "user+detail" to be aliased specially: it will first
look for an alias for "user+detail", then for "user+*", and
finally for "user". This is intended for forwarding mail
for system aliases such as root and postmaster to a
centralized hub.
CONFIG: add confEIGHT_BIT_HANDLING to set option 8 (see above).
CONFIG: add smtp8 mailer; this has the F=8 (just-send-8) flag set.
The F=8 flag is also set on the "relay" mailer, since
this is expected to be another sendmail.
CONFIG: avoid qualifying all UUCP addresses sent via SMTP with
the name of the UUCP_RELAY -- in some cases, this is the
wrong value (e.g., when we have local UUCP connections),
and this can create unreplyable addresses. From Chip
Rosenthal of Unicom.
CONFIG: add confRECEIVED_HEADER to change the format of the
Received: header inserted into all messages. Suggested by
Gary Mills of the University of Manitoba.
CONFIG: Make "notsticky" the default; use FEATURE(stickyhost)
to get the old behavior. I did this upon observing
that almost everyone needed this feature, and that the
concept I was trying to make happen didn't work with
some user agents anyway. FEATURE(notsticky) still works,
but it is a no-op.
CONFIG: Add LUSER_RELAY -- the host to which unrecognized user
names are sent, rather than immediately diagnosing them
as User Unknown.
CONFIG: Add SMTP_MAILER_ARGS, ESMTP_MAILER_ARGS, SMTP8_MAILER_ARGS,
and RELAY_MAILER_ARGS to set the arguments for the
indicated mailers. All default to "IPC $h". Patch from
Larry Parmelee of Cornell University.
CONFIG: pop mailer needs F=n flag to avoid "annoying side effects
on the client side" and F=P to get an appropriate
return-path. From Kimmo Suominen.
CONFIG: add FEATURE(local_procmail) to use the procmail program
as the local mailer. For addresses of the form "user+detail"
the "detail" part is passed to procmail via the -a flag.
Contributed by Kimmo Suominen.
CONFIG: add MAILER(procmail) to add an interface to procmail for
use from mailertables. This lets you execute arbitrary
procmail scripts. Contributed by Kimmo Suominen.
CONFIG: add T= fields (MTS type) to local, smtp, and uucp mailers.
CONFIG: add OSTYPE(ptx2) for DYNIX/ptx 2.x from Sequent. From
Paul Southworth of CICNet Systems Support.
CONFIG: use -a$g as default to UUCP mailers, instead of -a$f.
This causes the null return path to be rewritten as
MAILER-DAEMON; otherwise UUCP gets horribly confused.
From Michael Hohmuth of Technische Universitat Dresden.
CONFIG: Add FEATURE(bestmx_is_local) to cause any hosts that
list us as the best possible MX record to be treated as
though they were local (essentially, assume that they
are included in $=w). This can cause additional DNS
traffic, but is easier to administer if this fits your
local model. It does not work reliably if there are
multiple hosts that share the best MX preference.
Code contributed by John Oleynick of Rutgers.
CONFIG: Add FEATURE(smrsh) to use smrsh (the SendMail Restricted
SHell) instead of /bin/sh as the program used for delivery
to programs. If an argument is included, it is used as
the path to smrsh; otherwise, /usr/local/etc/smrsh is
assumed.
CONFIG: Add LOCAL_MAILER_MAX and PROCMAILER_MAILER_MAX to limit the
size of messages to the local and procmail mailers
respectively. Contributed by Brad Knowles of the Defense
Information Systems Agency.
CONFIG: Handle leading ``phrase:'' and trailing ``;'' as comments
(just like text outside of angle brackets) in order to
properly deal with ``group: addr1, ... addrN;'' syntax.
CONFIG: Require OSTYPE macro (the defaults really don't apply to
any real systems any more) and tweak the DOMAIN macro
so that it is less likely that users will accidentally use
the Berkeley defaults. Also, create some generic files
that really can be used in the real world.
CONFIG: Add new configuration macros to set character sets for
messages _arriving from_ various mailers: LOCAL_MAILER_CHARSET,
SMTP_MAILER_CHARSET, and UUCP_MAILER_CHARSET.
CONFIG: Change UUCP_MAX_SIZE to UUCP_MAILER_MAX for consistency.
The old name will still be accepted for a while at least.
CONFIG: Implement DECNET_RELAY as spec for host to which DECNET
mail (.DECNET pseudo-domain or node::user) will be sent.
As with all relays, it can be ``mailer:hostname''. Suggested
by Scott Hutton.
CONFIG: Add MAILER(mail11) to get DECnet support. Code contributed
by Barb Dijker of Labyrinth Computer Services.
CONFIG: change confCHECK_ALIASES to default to False -- it has poor
performance for large alias files, and this confused many
people.
CONFIG: Add confCF_VERSION to append local information to the
configuration version number displayed during SMTP startup.
CONFIG: fix some.newsgroup.usenet@local.host syntax (previously it
would only work when locally addressed. Fix from
Edvard Tuinder of Cistron Internet Services.
CONFIG: use ${opMode} to avoid error on .REDIRECT addresses if option
"n" (CheckAliases) is set when rebuilding alias database.
Based on code contributed by Claude Marinier.
CONFIG: Allow mailertable to have values of the form
``error:code message''. The ``code'' is a status code
derived from the sysexits codes -- e.g., NOHOST or UNAVAILABLE.
Contributed by David James <dwj@agw.bt.co.uk>.
CONFIG: add MASQUERADE_DOMAIN(domain list) to extend the list of
sender domains that will be replaced with the masquerade name.
These domains will not be treated as local, but if mail passes
through with sender addresses in those domains they will be
replaced by the masquerade name. These can also be specified
in a file using MASQUERADE_DOMAIN_FILE(filename).
CONFIG: add FEATURE(masquerade_envelope) to masquerade the envelope
as well as the header. Substantial improvements to this
code were contributed by Per Hedeland.
CONFIG: add MAILER(phquery) to define a new "ph" mailer; this can be
accessed from a mailertable to do CCSO ph lookups. Contributed
by Kimmo Suominen.
CONFIG: add MAILER(cyrus) to define a new Cyrus mailer; this can be
used to define cyrus and cyrusbb mailers (for IMAP support).
Contributed by John Gardiner Myers of Carnegie Mellon.
CONFIG: add confUUCP_MAILER to select default mailer to use for
UUCP addressing. Suggested by Tom Moore of AT&T GIS.
NEW FILES:
cf/cf/cs-hpux10.mc
cf/cf/cs-solaris2.mc
cf/cf/cyrusproto.mc
cf/cf/generic-bsd4.4.mc
cf/cf/generic-hpux10.mc
cf/cf/generic-hpux9.mc
cf/cf/generic-osf1.mc
cf/cf/generic-solaris2.mc
cf/cf/generic-sunos4.1.mc
cf/cf/generic-ultrix4.mc
cf/cf/huginn.cs.mc
cf/domain/berkeley-only.m4
cf/domain/generic.m4
cf/feature/bestmx_is_local.m4
cf/feature/local_procmail.m4
cf/feature/masquerade_envelope.m4
cf/feature/smrsh.m4
cf/feature/stickyhost.m4
cf/feature/use_ct_file.m4
cf/m4/cfhead.m4
cf/mailer/cyrus.m4
cf/mailer/mail11.m4
cf/mailer/phquery.m4
cf/mailer/procmail.m4
cf/ostype/amdahl-uts.m4
cf/ostype/bsdi2.0.m4
cf/ostype/hpux10.m4
cf/ostype/irix5.m4
cf/ostype/isc4.1.m4
cf/ostype/ptx2.m4
cf/ostype/unknown.m4
contrib/bsdi.mc
contrib/mailprio
contrib/rmail.oldsys.patch
mail.local/mail.local.0
makemap/makemap.0
smrsh/README
smrsh/smrsh.0
smrsh/smrsh.8
smrsh/smrsh.c
src/Makefiles/Makefile.CSOS
src/Makefiles/Makefile.EWS-UX_V
src/Makefiles/Makefile.HP-UX.10
src/Makefiles/Makefile.IRIX.5.x
src/Makefiles/Makefile.IRIX64
src/Makefiles/Makefile.ISC
src/Makefiles/Makefile.KSR
src/Makefiles/Makefile.NEWS-OS.4.x
src/Makefiles/Makefile.NEWS-OS.6.x
src/Makefiles/Makefile.NEXTSTEP
src/Makefiles/Makefile.NonStop-UX
src/Makefiles/Makefile.Paragon
src/Makefiles/Makefile.SCO.3.2v4.2
src/Makefiles/Makefile.SunOS.5.3
src/Makefiles/Makefile.SunOS.5.4
src/Makefiles/Makefile.SunOS.5.5
src/Makefiles/Makefile.UNIX_SV.4.x.i386
src/Makefiles/Makefile.uts.systemV
src/Makefiles/Makefile.UX4800
src/aliases.0
src/mailq.0
src/mime.c
src/newaliases.0
src/sendmail.0
test/t_seteuid.c
RENAMED FILES:
cf/cf/alpha.mc => cf/cf/s2k-osf1.mc
cf/cf/chez.mc => cf/cf/chez.cs.mc
cf/cf/hpux-cs-exposed.mc => cf/cf/cs-hpux9.mc
cf/cf/osf1-cs-exposed.mc => cf/cf/cs-osf1.mc
cf/cf/s2k.mc => cf/cf/s2k-ultrix4.mc
cf/cf/sunos4.1-cs-exposed.mc => cf/cf/cs-sunos4.1.mc
cf/cf/ultrix4.1-cs-exposed.mc => cf/cf/cs-ultrix4.mc
cf/cf/vangogh.mc => cf/cf/vangogh.cs.mc
cf/domain/Berkeley.m4 => cf/domain/Berkeley.EDU.m4
cf/domain/cs-exposed.m4 => cf/domain/CS.Berkeley.EDU.m4
cf/domain/eecs-hidden.m4 => cf/domain/EECS.Berkeley.EDU.m4
cf/domain/s2k.m4 => cf/domain/S2K.Berkeley.EDU.m4
cf/ostype/hpux.m4 => cf/ostype/hpux9.m4
cf/ostype/irix.m4 => cf/ostype/irix4.m4
cf/ostype/ultrix4.1.m4 => cf/ostype/ultrix4.m4
src/Makefile.* => src/Makefiles/Makefile.*
src/Makefile.AUX => src/Makefiles/Makefile.A-UX
src/Makefile.BSDI => src/Makefiles/Makefile.BSD-OS
src/Makefile.DGUX => src/Makefiles/Makefile.dgux
src/Makefile.RISCos => src/Makefiles/Makefile.UMIPS
src/Makefile.SunOS.4.0.3 => src/Makefiles/Makefile.SunOS.4.0
OBSOLETED FILES:
cf/cf/cogsci.mc
cf/cf/cs-exposed.mc
cf/cf/cs-hidden.mc
cf/cf/hpux-cs-hidden.mc
cf/cf/knecht.mc
cf/cf/osf1-cs-hidden.mc
cf/cf/sunos3.5-cs-exposed.mc
cf/cf/sunos3.5-cs-hidden.mc
cf/cf/sunos4.1-cs-hidden.mc
cf/cf/ultrix4.1-cs-hidden.mc
cf/domain/cs-hidden.m4
contrib/rcpt-streaming
src/Makefiles/Makefile.SunOS.5.x
8.6.13/8.6.12 96/01/25
SECURITY: In some cases it was still possible for an attacker to
insert newlines into a queue file, thus allowing access to
any user (except root).
CONFIG: no changes -- it is not a bug that the configuration
version number is unchanged.
8.6.12/8.6.12 95/03/28
Fix to IDENT code (it was getting the size of the reply buffer
too small, so nothing was ever accepted). Fix from several
people, including Allan Johannesen, Shane Castle of the
Boulder County Information Services, and Jeff Smith of
Warwick University (all arrived within a few hours of
each other!).
Fix a problem that could cause large jobs to run out of
file descriptors on systems that use vfork() rather
than fork().
8.6.11/8.6.11 95/03/08
The ``possible attack'' message would be logged more often
than necessary if you are using Pine as a user agent.
The wrong host would be reported in the ``possible attack''
message when attempted from IDENT.
In some cases the syslog buffer could be overflowed when
reporting the ``possible attack'' message. This can
cause denial of service attacks. Truncate the message
to 80 characters to prevent this problem.
When reading the IDENT response a loop is needed around the
read from the network to ensure that you don't get
partial lines.
Password entries without any shell listed (that is, a null
shell) wouldn't match as "ok". Problem noted by
Rob McMahon.
When running BIND 4.9.x a problem could occur because the
_res.options field is initialized differently than it
was historically -- this requires that sendmail call
res_init before it tweaks any bits.
Fix an incompatibility in openxscript() between the file open mode
and the stdio mode passed to fdopen. This caused UnixWare
2.0 to have conniptions. Fix from Martin Sohnius of
Novell Labs Europe.
Fix problem with static linking of local getopt routine when
using GNU's ld command. Fix from John Kennedy of
Cal State Chico.
It was possible to turn off privacy flags. Problem noted by
*Hobbit*.
Be more paranoid about writing files. Suggestions by *Hobbit*
and Liudvikas Bukys.
MAKEMAP: fixes for 64 bit machines (DEC Alphas in particular)
from Spider Boardman.
CONFIG: No changes (version number only, to keep it in sync
with the binaries).
8.6.10/8.6.10 95/02/10
SECURITY: Diagnose bogus values to some command line flags that
could allow trash to get into headers and qf files.
Validate the name of the user returned by the IDENT protocol.
Some systems that really dislike IDENT send intentionally
bogus information. Problem pointed out by Michael Bushnell
of the Free Software Foundation. Has some security
implications.
Fix a problem causing error messages about DNS problems when
the host name contained a percent sign to act oddly
because it was passed as a printf-style format string.
In some cases this could cause core dumps.
Avoid possible buffer overrun in returntosender() if error
message is quite long. From Fletcher Mattox of the
University of Texas.
Fix a problem that would silently drop "too many hops" error
messages if and only if you were sending to an alias.
From Jon Giltner of the University of Colorado and
Dan Harton of Oak Ridge National Laboratory.
Fix a bug that caused core dumps on some systems if -d11.2 was
set and e->e_message was null. Fix from Bruce Nagel of
Data General.
Fix problem that can still cause df files to be left around
after "hop count exceeded" messages. Fix from Andrew
Chang and Shau-Ping Lo of SunSoft.
Fix a problem that can cause buffer overflows on very long
user names (as might occur if you piped to a program
with a lot of arguments).
Avoid returning an error and re-queueing if the host signature
is null; this can occur on addresses like ``user@.''.
Problem noted by Wesley Craig and the University of
Michigan.
Avoid possible calls to malloc(0) if MCI caching is turned
off. Bug fix from Pierre David of the Laboratoire
Parallelisme, Reseaux, Systemes et Modelisation (PRiSM),
Universite de Versailles - St Quentin, and Jacky
Thibault.
Make a local copy of the line being sent via senttolist() -- in
some cases, buffers could get trashed by map lookups
causing it to do unexpected things. This also simplifies
some of the map code.
CONFIG: No changes (version number only, to keep it in sync
with the binaries).
8.6.9/8.6.9 94/04/19
Do all mail delivery completely disconnected from any terminal.
This provides consistency with daemon delivery and
may have some security implications.
Make sure that malloc doesn't get called with zero size,
since that fails on some systems. Reported by Ed
Hill of the University of Iowa.
Fix multi-line values for $e (SMTP greeting message). Reported
by Mike O'Connor of Ford Motor Company.
Avoid syserr if no NIS domain name is defined, but the map it
is trying to open is optional. From Win Bent of USC.
Changes for picky compilers from Ed Gould of Digital Equipment.
Hesiod support for UDB from Todd Miller of the University of
Colorado. Use "hesiod" as the service name in the U
option.
Fix a problem that failed to set the "authentic" host name (that
is, the one derived from the socket info) if you called
sendmail -bs from inetd. Based on code contributed by
Todd Miller (this problem was also reported by Guy Helmer
of Dakota State University). This also fixes a related
problem reported by Liudvikas Bukys of the University of
Rochester.
Parameterize "nroff -h" in all the Makefiles so people with
variant versions can use them easily. Suggested by
Peter Collinson of Hillside Systems.
SMTP "MAIL" commands with multiple ESMTP parameters required two
spaces between parameters instead of one. Reported by
Valdis Kletnieks of Virginia Tech.
Reduce the number of system calls during message collection by
using global timeouts around the collect() loop. This
code was contributed by Eric Wassenaar.
If the initial hostname name gathering results in a name
without a dot (usually caused by NIS misconfiguration)
and BIND is compiled in, directly access DNS to get
the canonical name. This should make life easier for
Solaris systems. If it still can't be resolved, and
if the name server is listed as "required", try again
in 30 seconds. If that also fails, exit immediately to
avoid bogus "config error: mail loops back to myself"
messages.
Improve the "MAIL DELETED BECAUSE OF LACK OF DISK SPACE" error
message to explain how much space was available and
sound a bit less threatening. Suggested by Stan Janet
of the National Institute of Standards and Technology.
If mail is delivered to an alias that has an owner, deliver any
requested return-receipt immediately, and strip the
Return-Receipt-To: header from the subsequent message.
This prevents a certain class of denial of service
attack, arguably gives more reasonable semantics, and
moves things more towards what will probably become a
network standard. Suggested by Christopher Davis of
Kapor Enterprises.
Add a "noreceipts" privacy flag to turn off all return receipts
without recompiling.
Avoid printing ESMTP parameters as part of the error message
if there are errors during parsing. This change is
purely cosmetic.
Avoid sending out error messages during the collect phase of
SMTP; there is an MVS mailer from UCLA that gets
confused by this. Of course, I think it's their bug....
Check for the $j macro getting undefined, losing a dot, or getting
lost from $=w in the daemon before accepting a connection;
if it is, it dumps state, prints a LOG_ALERT message,
and drops core for debugging. This is an attempt to
track down a bug that I thought was long since gone.
If you see this, please forward the log fragment to
sendmail@sendmail.ORG.
Change OLD_NEWDB from a #ifdef to a #if so it can be turned off
with -DOLD_NEWDB=0 on the command line. From Christophe
Wolfhugel.
Instead of trying to truncate the listen queue for the server
SMTP port when the load average is too high, just close
the port completely and reopen it later as needed.
This ensures that the other end gets a quick "connection
refused" response, and that the connection can be
recovered later. In particular, some socket emulations
seem to get confused if you tweak the listen queue
size around and can never start listening to connections
again. The down side is that someone could start up
another daemon process in the interim, so you could
have multiple daemons all not listening to connections;
this could in turn cause the sendmail.pid file to be
incorrect. A better approach might be to accept the
connection and give a 421 code, but that could break
other mailers in mysterious ways and have paging behavior
implications.
Fix a glitch in TCP-level debugging that caused flag 16.101 to
set debugging on the wrong socket. From Eric Wassenaar.
When creating a df* temporary file, be sure you truncate any
existing data in the file -- otherwise system crashes
and the like could result in extra data being sent.
DOC: Replace the CHANGES-R5-R8 readme file with a paper in the
doc directory. This includes some additional
information.
CONFIG: change UUCP rules to never add $U! or $k! on the front
of recipient envelope addresses. This should have been
handled by the $&h trick, but broke if people were
mixing domainized and UUCP addresses. They should
probably have converted all the way over to uucp-uudom
instead of uucp-{new,old}, but the failure mode was to
loop the mail, which was bad news.
Portability fixes:
Newer BSDI systems (several people).
Older BSDI systems from Christophe Wolfhugel.
Intergraph CLIX, from Paul Southworth of CICNet.
UnixWare, from Evan Champion.
NetBSD from Adam Glass.
Solaris from Quentin Campbell of the University of
Newcastle upon Tyne.
IRIX from Dean Cookson and Bill Driscoll of Mitre
Corporation.
NCR 3000 from Kevin Darcy of Chrysler Financial Corporation.
SunOS (it has setsid() and setvbuf() calls) from
Jonathan Kamens of OpenVision Technologies.
HP-UX from Tor Lillqvist.
New Files:
src/Makefile.CLIX
src/Makefile.NCR3000
doc/changes/Makefile
doc/changes/changes.me
doc/changes/changes.ps
8.6.8/8.6.6 94/03/21
SECURITY: it was possible to read any file as root using the
E (error message) option. Reported by Richard Jones;
fixed by Michael Corrigan and Christophe Wolfhugel.
8.6.7/8.6.6 94/03/14
SECURITY: it was possible to get root access by using weird
values to the -d flag. Thanks to Alain Durand of
INRIA for forwarding me the notice from the bugtraq
list.
8.6.6/8.6.6 94/03/13
SECURITY: the ability to give files away on System V-based
systems proved dangerous -- don't run as the owner
of a :include: file on a system that allows giveaways.
Unfortunately, this also applies to determining a
valid shell.
IMPORTANT: Previous versions weren't expiring old connections
in the connection cache for a long time under some
circumstances. This could result in resource exhaustion,
both at your end and at the other end. This checks the
connections for timeouts much more frequently. From
Doug Anderson of NCSC.
Fix a glitch that snuck in that caused programs to be run as
the sender instead of the recipient if the mail was
from a local user to another local user. From
Motonori Nakamura of Kyoto University.
Fix "wildcard" on /etc/shells matching -- instead of looking
for "*", look for "/SENDMAIL/ANY/SHELL/". From
Bryan Costales of ICSI.
Change the method used to declare the "statfs" availability;
instead of HASSTATFS and/or HASUSTAT with a ton of
tweaking in conf.c, there is a single #define called
SFS_TYPE which takes on one of six values (SFS_NONE
for no statfs availability, SFS_USTAT for the ustat(2)
syscall, SFS_4ARGS for a four argument statfs(2) call,
and SFS_VFS, SFS_MOUNT, or SFS_STATFS for a two argument
statfs(2) call with the declarations in <sys/vfs.h>,
<sys/mount.h>, or <sys/statfs.h> respectively).
Fix glitch in NetInfo support that could return garbage if
there was no "/locations/sendmail" property. From
David Meyer of the University of Virginia.
Change HASFLOCK from defined/not-defined to a 0/1 definition
to allow Linux to turn it off even though it is a
BSD-like system.
Allow setting of "ident" timeout to zero to turn off the ident
protocol entirely.
Make 7-bit stripping local to a connection (instead of to a
mailer); this allows you to specify that SMTP is a
7-bit channel, but revert to 8-bit should it advertise
that it supports 8BITMIME. You still have to specify
mailer flag 7 to get this stripping at all.
Improve makesendmail script so it handles more cases automatically.
Tighten up restrictions on taking ownership of :include: files
to avoid problems on systems that allow you to give away
files.
Fix a problem that made it impossible to rebuild the alias
file if it was on a read-only file system. From
Harry Edmon of the University of Washington.
Improve MX randomization function. From John Gardiner Myers
of CMU.
Fix a minor glitch causing a bogus message to be printed (used
%s instead of %d in a printf string for the line number)
when a bad queue file was read. From Harry Edmon.
Allow $s to remain NULL on locally generated mail. I'm not
sure this is necessary, but a lot of people have complained
about it, and there is a legitimate question as to whether
"localhost" is legal as an 822-style domain.
Fix a problem with very short line lengths (mailer L= flag) in
headers. This causes a leading space to be added onto
continuation lines (including in the body!), and also
tries to wrap headers containing addresses (From:, To:,
etc) intelligently at the shorter line lengths. Problem
Reported by Lars-Johan Liman of SUNET Operations Center.
Log the real user name when logging syserrs, since these can have
security implications. Suggested by several people.
Fix address logging of cached connections -- it used to always
log the numeric address as zero. This is a somewhat
bogus implementation in that it does an extra system
call, but it should be an inexpensive one. Fix from
Motonori Nakamura.
Tighten up handling of short syslog buffers even more -- there
were cases where the outgoing relay= name was too long
to share a line with delay= and mailer= logging.
Limit the overhead on split envelopes to one open file descriptor
per envelope -- previously the overhead was three
descriptors. This was in response to a problem reported
by P{r (Pell) Emanuelsson.
Fixes to better handle the case of unexpected connection closes;
this redirects the output to the transcript so the info
is not lost. From Eric Wassenaar.
Fix potential string overrun if you macro evaluate a string that
has a naked $ at the end. Problem noted by James Matheson
<jmrm@eng.cam.ac.uk>.
Make default error number on $#error messages 553 (``Requested
action not taken: mailbox name not allowed'') instead of
501 (``Syntax error in parameters or arguments'') to
avoid bogus "protocol error" messages.
Strip off any existing trailing dot on names during $[ ... $]
lookup. This prevents it from ending up with two dots
on the end of dot terminated names. From Wesley Craig
of the University of Michigan and Bryan Costales of ICSI.
Clean up file class reading so that the debugging information is
more informative. It hadn't been using setclass, so you
didn't see the class items being added.
Avoid core dump if you are running a version of sendmail where
NIS is compiled in, and you specify an NIS map, but
NIS is not running. Fix from John Oleynick of
Rutgers.
Diagnose bizarre case where res_search returns a failure value,
but sets h_errno to a success value.
Make sure that "too many hops" messages are considered important
enough to send an error to the Postmaster (that is, the
address specified in the P option). This fix should
help problems that cause the df file to be left around
sometimes -- unfortunately, I can't seem to reproduce
the problem myself.
Avoid core dump (null pointer reference) on EXPN command; this
only occurred if your log level was set to 10 or higher
and the target account was an alias or had a .forward file.
Problem noted by Janne Himanka.
Avoid "denial of service" attacks by someone who is flooding your
SMTP port with bad commands by shutting the connection
after 25 bad commands are issued. From Kyle Jones of
UUNET.
Fix core dump on error messages with very long "to" buffers;
fmtmsg overflows the message buffer. Fixed by trimming
the to address to 203 characters. Problem reported by
John Oleynick.
Fix configuration for HASFLOCK -- there were some spots where
a #ifndef was incorrectly #ifdef. Pointed out by
George Baltz of the University of Maryland.
Fix a typo in savemail() that could cause the error message To:
lists to be incorrect in some places. From Motonori
Nakamura.
Fix a glitch that can cause duplicate error messages on split
envelopes where an address on one of the lists has a
name server failure. Fix from Voradesh Yenbut of the
University of Washington.
Fix possible bogus pointer reference on ESMTP parameters that
don't have an ``=value'' part.
CNAME loops caused an error message to be generated, but also
re-queued the message. Changed to just re-queue the
message (it's really hard to just bounce it because
of the weird way the name server works in the presence
of CNAME loops). Problem noted by James M.R.Matheson
of Cambridge University.
Avoid giving ``warning: foo owned process doing -bs'' messages
if they use ``MAIL FROM:<foo>'' where foo is their true
user name. Suggested by Andreas Stolcke of ICSI.
Change the NAMED_BIND compile flag to be a 0/1 flag so you can
override it easily in the Makefile -- that is, you can
turn it off using -DNAMED_BIND=0.
If a gethostbyname(...) of an address with a trailing dot fails,
try it without the trailing dot. This is because if
you have a version of gethostbyname() that falls back
to NIS or the /etc/hosts file it will fail to find
perfectly reasonable names that just don't happen to
be dot terminated in the hosts file. You don't want to
strip the dot first though because we're trying to ensure
that country names that match one of your subdomains get
a chance.
PRALIASES: fix bogus output on non-null-terminated strings.
From Bill Gianopoulos of Raytheon.
CONFIG: Avoid rewriting anything that matches $w to be $j.
This was in code intended to only catch the self-literal
address (that is, [1.2.3.4], where 1.2.3.4 is your
IP address), but the code was broken. However, it will
still do this if $M is defined; this is necessary to
get client configurations to work (sigh). Note that this
means that $M overrides :mailname entries in the user
database! Problem noted by Paul Southworth.
CONFIG: Fix definition of Solaris help file location. From
Steve Cliffe <steve@gorgon.cs.uow.edu.au>.
CONFIG: Fix bug that broke news.group.USENET mappings.
CONFIG: Allow declaration of SMTP_MAILER_MAX, FAX_MAILER_MAX,
and USENET_MAILER_MAX to tweak the maximum message
size for various mailers.
CONFIG: Change definition of USENET_MAILER_ARGS to include argv[0]
instead of assuming that it is "inews" for consistency
with other mailers. From Michael Corrigan of UC San Diego.
CONFIG: When mail is forwarded to a LOCAL_RELAY or a MAIL_HUB,
qualify the address in the SMTP envelope as user@{relay|hub}
instead of user@$j. From Bill Wisner of The Well.
CONFIG: Fix route-addr syntax in nullrelay configuration set.
CONFIG: Don't turn off case mapping of user names in the local
mailer for IRIX. This was different than most every other
system.
CONFIG: Avoid infinite loops on certainly list:; syntaxes in
envelope. Noted by Thierry Besancon
<besancon@excalibur.ens.fr>.
CONFIG: Don't include -z by default on uux line -- most systems
don't want it set by default. Pointed out by Philippe
Michel of Thomson CSF.
CONFIG: Fix some bugs with mailertables -- for example, if your
host name was foo.bar.ray.com and you matched against
".ray.com", the old implementation bound %1 to "bar"
instead of "foo.bar". Also, allow "." in the mailertable
to match anything -- essentially, take over SMART_HOST.
This also moves matching of explicit local host names
before the mailertable so they don't have to be special
cased in the mailertable data. Reported by Bill
Gianopoulos of Raytheon; the fix for the %1 binding
problem was contributed by Nicholas Comanos of the
University of Sydney.
CONFIG: Don't include "root" in class $=L (users to deliver
locally, even if a hub or relay exists) by default.
This is because of the known bug where definition of
both a LOCAL_RELAY and a MAIL_HUB causes $=L to ignore
both and deliver into the local mailbox.
CONFIG: Move up bitdomain and uudomain handling so that they
are done before .UUCP class matching; uudomain was
reported as ineffective before. This also frees up
diversion 8 for future use. Problem reported by Kimmo
Suominen.
CONFIG: Don't try to convert dotted IP address (e.g., [1.2.3.4])
into host names. As pointed out by Jonathan Kamens,
these are often used because either the forward or reverse
mapping is broken; this translation makes it broken again.
DOC: Clarify $@ and $: in the Install & Op Guide. From Kimmo
Suominen.
Portability fixes:
Unicos from David L. Kensiski of Sterling Software.
DomainOS from Don Lewis of Silicon Systems.
GNU m4 1.0.3 from Karst Koymans of Utrecht University.
Convex from Kimmo Suominen <kim@tac.nyc.ny.us>.
NetBSD from Adam Glass <glass@sun-lamp.cs.berkeley.edu>.
BSD/386 from Tony Sanders of BSDI.
Apollo from Eric Wassenaar.
DGUX from Doug Anderson.
Sequent DYNIX/ptx 2.0 from Tim Wright of Sequent.
NEW FILES:
src/Makefile.DomainOS
src/Makefile.PTX
src/Makefile.SunOS.5.1
src/Makefile.SunOS.5.2
src/Makefile.SunOS.5.x
src/mailq.1
cf/ostype/domainos.m4
doc/op/Makefile
doc/intro/Makefile
doc/usenix/Makefile
8.6.5/8.6.5 94/01/13
Security fix: /.forward could be owned by anyone (the test
to allow root to own any file was backwards). From
Bob Campbell at U.C. Berkeley.
Security fix: group ids were not completely set when programs
were invoked. This caused programs to have group
permissions they should not have had (usually group
daemon instead of their own group). In particular,
Perl scripts would refuse to run.
Security: check to make sure files that are written are not
symbolic links (at least under some circumstances).
Although this does not respond to a specific known
attack, it's just a good idea. Suggested by
Christian Wettergren.
Security fix: if a user had an NFS mounted home directory on
a system with a restricted shell listed in their
/etc/passwd entry, they could still execute any
program by putting that in their .forward file.
This fix prevents that by insisting that their shell
appear in /etc/shells before allowing a .forward to
execute a program or write a file. You can disable
this by putting "*" in /etc/shells. It also won't
permit world-writable :include: files to reference
programs or files (there's no way to disable this).
These behaviors are only one level deep -- for
example, it is legal for a world-writable :include:
file to reference an alias that writes a file, on
the assumption that the alias file is well controlled.
Security fix: root was not treated suspiciously enough when
looking into subdirectories. This would potentially
allow a cracker to examine files that were publicly
readable but in a non-publicly searchable directory.
Fix a problem that causes an error on QUIT on a cached
connection to create problems on the current job.
These are typically unrelated, so errors occur in
the wrong place.
Reset CurrentLA in sendall() -- this makes sendmail queue
runs more responsive to load average, and fixes a
problem that ignored the load average in locally
generated mail. From Eric Wassenaar.
Fix possible core dump on aliases with null LHS. From
John Orthoefer of BB&N.
Revert to using flock() whenever possible -- there are just
too many bugs in fcntl() locking, particularly over
NFS, that cause sendmail to fail in perverse ways.
Fix a bug that causes the connection cache to get confused
when sending error messages. This resulted in
"unexpected close" messages. It should fix itself
on the following queue run. Problem noted by
Liudvikas Bukys of the University of Rochester.
Include $k in $=k as documented in the Install & Op Guide.
This seems odd, but it was documented.... From
Michael Corrigan of UCSD.
Fix problem that caused :include:s from alias files to be
forced to be owned by root instead of daemon
(actually DefUid). From Tim Irvin.
Diagnose unrecognized I option values -- from Mortin Forssen
of the Chalmers University of Technology.
Make "error" mailer work consistently when there is no error
code associated with it -- previously it returned OK
even though there was a real problem. Now it assumes
EX_UNAVAILABLE.
Fix bug that caused the last header line of messages that had
no body and which were terminated with EOF instead of
"." to be discarded. Problem noted by Liudvikas Bukys.
Fix core dump on SMTP mail to programs that failed -- it tried
to go to a "next MX host" when none existed, causing
a core dump. From der Mouse at McGill University.
Change IDENTPROTO from a defined/not defined to a 0/1 switch;
this makes it easier to turn it off (using
-DIDENTPROTO=0 in the Makefile). From der Mouse.
Fix YP_MASTER_NAME store to use the unupdated result of
gethostname() (instead of myhostname(), which tries
to fully qualify the name) to be consistent with
SunOS. If your hostname is unqualified, this fixes
transfers to slave servers. Bug noted by Keith
McMillan of Ameritech Services, Inc.
Fix Ultrix problem: gethostbyname() can return a very large
(> 500) h_length field, which causes the sockaddr
to be trashed. Use the size of the sockaddr instead.
Fix from Bob Manson of Ohio State.
Don't assume "-a." on host lookups if NAMED_BIND is not
defined -- this confuses gethostbyname on hosts
file lookups, which doesn't understand the trailing
dot convention.
Log SMTP server subprocesses that die with a signal instead
of from a clean exit.
If you don't have option "I" set, don't assume that a DNS
"host unknown" message is authoritative -- it
might still be found in /etc/hosts.
Fix a problem that would cause Deferred: messages to be sent
as the subject of an error message, even though the
actual cause of a message was more severe than that.
Problem noted by Chris Seabrook of OSSI.
Fix race condition in DBM alias file locking. From Kyle
Jones of UUNET.
Limit delivery syslog line length to avoid bugs in some
versions of syslog(3). This adds a new compile time
variable SYSLOG_BUFSIZE. From Jay Plett of Princeton
University, which is in turn derived from IDA.
Fix quotes inside of comments in addresses -- previously
it insisted that they be balanced, but the 822 spec
says that they should be ignored.
Dump open file state to syslog upon receiving SIGUSR1 (for
debugging). This also evaluates ruleset 89, if set
(with the null input), and logs the result. This
should be used sparingly, since the rewrite process
is not reentrant.
Change -qI, -qR, and -qS flags to be case-insensitive as
documented in the Bat Book.
If the mailer returned EX_IOERR or EX_OSERR, sendmail did not
return an error message and did not requeue the message.
Fix based on code from Roland Dirlewanger of
Reseau Regional Aquarel, Bordeaux, France.
Fix a problem that caused a seg fault if you got a 421 error
code during some parts of connection initialization.
I've only seen this when talking to buggy mailers on
the other end, but it shouldn't give a seg fault in
any case. From Amir Plivatsky.
Fix core dump caused by a ruleset call that returns null.
Fix from Bryan Costales of ICSI.
Full-Name: field was being ignored. Fix from Motonori Nakamura
of Kyoto University.
Fix a possible problem with very long input lines in setproctitle.
From P{r Emanuelsson.
Avoid putting "This is a warning message" out on return receipts.
Suggested by Douglas Anderson.
Detect loops caused by recursive ruleset calls. Suggested by
Bryan Costales.
Initialize non-alias maps during alias rebuilds -- they may be
needed for parsing. Problem noted by Douglas Anderson.
Log sender address even if no message was collected in SMTP
(e.g., if all RCPTs failed). Suggested by Motonori
Nakamura.
Don't reflect the owner-list contents into the envelope sender
address if the value contains ", :, /, or | (to avoid
illegal addresses appearing there).
Efficiency hack for toktype macro -- from Craig Partridge of
BB&N.
Clean up DNS error printing so that a host name is always
included.
Remember to set $i during queue runs. Reported by Stephen
Campbell of Dartmouth University.
If the environment variable HOSTALIASES is set, use it during
canonification as the name of a file with per-user host
translations so that headers are properly mapped. Reported
by Anne Bennett of Concordia University.
Avoid printing misleading error message if SMTP mailer (not
using [IPC]) should die on a core dump.
Avoid incorrect diagnosis of "file 1 closed" when it is caused
by the other end closing the connection. From
Dave Morrison of Oracle.
Improve several of the error messages printed by "mailq"
to include a host name or other useful information.
Add NetInfo preliminary support for NeXT systems. From Vince
DeMarco.
Fix a glitch that sometimes caused :include:s that pointed to
NFS filesystems that were down to give an "aliasing/
forwarding loop broken" message instead of queueing
the message for retry. Noted by William C Fenner of
the NRL Connection Machine Facility.
Fix a problem that could cause a core dump if the input sequence
had (or somehow acquired) a \231 character.
Make sure that route-addrs always have <angle brackets> around
them in non-SMTP envelopes (SMTP envelopes already do
this properly).
Avoid weird headers on unbalanced punctuation of the form:
``Joe User <user)'' -- this caused reference to the
null macro. Fix from Rick McCarty of IO.COM.
Fix a problem that caused an alias "user: user@local.host" to
not have the QNOTREMOTE bit set; this caused configs
to act as if FEATURE(notsticky) was defined even when
it was not. The effect of the problem was to make it
very hard to to set up satellite sites that had a few
local accounts, with everything else forwarded to a
corporate hub. Reported by Detlef Drewanz of the
University of Rostock and Mark Frost of NCD.
Change queuing to not call rulesets 3, {1 or 2}, 4 on header
addresses. This is more efficient (fewer name server
calls) and fixes certain unusual configurations, such
as those that have ruleset 4 do something that is
non-idempotent unless a mailer-specific ruleset did
something else. Problem reported by Brian J. Coan
of the Institute for Global Communications.
Fix the "obsolete argument" routine in main to better understand
new arguments. For example, if you used ``sendmail
-C config -v -q'' it would choke on the -q because
the -C would stop looking for old-format arguments.
Fix the code that was intended to allow two users to forward their
mail to the same program and have them appear unique.
Portability fixes for:
SCO UNIX from Murray Kucherawy.
SCO Open Server 3.2v4 from Philippe Brand.
System V Release 4 from Rick Ellis and others.
OSF/1 from Steve Campbell.
DG/UX from Ben Mesander of the USGS and Bryan Curnutt
of Stoner Associates.
Motorola SysV88 from Kevin Johnson of Motorola.
Solaris 2.3 from Casper H.S. Dik of the University
of Amsterdam and John Caruso of University
of Maryland.
FreeBSD from Ollivier Robert.
NetBSD from Adam Glass.
TitanOS from Kate Hedstrom of Rutgers University.
Irix from Bryan Curnutt.
Dynix from Jim Davis of the University of Arizona.
RISC/os.
Linux from John Kennedy of California State University
at Chico.
Solaris 2.x from Tony Boner of the U.S. Air Force.
NEXTSTEP 3.x from Vince DeMarco.
HP-UX from various people. NOTA BENE: the location
of the config file has moved to /usr/lib
to match the HP-UX version of sendmail.
CONFIG: Don't do any recipient rewriting on relay mailer;
since this is intended only for internal use, the
usual RFC 821/822/1123 rules can be relaxed. The
main point of this is to avoid munging (ugh) UUCP
addresses when relaying internally.
CONFIG: fix typo in mailer/uucp.m4 that mutilates list:;
syntax addresses delivered via UUCP. Solution
provided by Peter Wemm.
CONFIG: fix thumb-fumble in default UUCP relaying in ruleset
zero; it caused double @ signs in addresses. From
Irving Reid of the University of Toronto.
CONFIG: Portability fixes for SCO Unix 3.2 with TCP/IP 1.2.1
from Markku Toijala of ICL Personal Systems Oy.
CONFIG: Add trailing "." on pseudo-domains for consistency;
this fixes a problem (noted by Al Whaley of Sunnyside)
that made it hard to recognize your own pseudodomain
names.
CONFIG: catch "@host" syntax errors (i.e., null local-parts)
rather than letting them get "local configuration
error"s. Problem noted by John Gardiner Myers.
CONFIG: add uucp-uudom mailer variant, based on code posted
by Spider Boardman <spider@Orb.Nashua.NH.US>; this
has uucp-dom semantics but old UUCP syntax. This
also permits "uucp-old" as an alias for "uucp" and
"uucp-new" as a synonym for "suucp" for consistency.
CONFIG: add POP mailer support (from Kimmo Suominen
<kim@grendel.lut.fi>).
CONFIG: drop CSNET_RELAY support -- CSNET is long gone.
CONFIG: fix bug caused with domain literal addresses (e.g.,
``[128.32.131.12]'') when FEATURE(allmasquerade)
was set; it would get an additional @masquerade.host
added to the address. Problem noted by Peter Wan
of Georgia Tech.
CONFIG: make sure that the local UUCP name is in $=w. From
Jim Murray of Stratus.
CONFIG: changes to UUCP rewriting to simulate IDA-style "V"
mailer flag. Briefly, if you are sending to host
"foo", then it rewrites "foo!...!baz" to "...!baz",
"foo!baz" remains "foo!baz", and anything else has
the local name prepended.
CONFIG: portability fixes for HP-UX.
DOC: several minor problems fixed in the Install & Op Guide.
MAKEMAP: fix core dump problem on lines that are too long or
which lack newline. From Mark Delany.
MAILSTATS: print sums of columns (total messages & kbytes
in and out of the system). From Tom Ferrin of UC
San Francisco Computer Graphics Lab.
SIGNIFICANT USER- OR SYSAD-VISIBLE CHANGES:
On HP-UX, /etc/sendmail.cf has been moved to
/usr/lib/sendmail.cf to match HP sendmail.
Permissions have been tightened up on world-writable
:include: files and accounts that have shells
that are not listed in /etc/shells. This may
cause some .forward files that have worked
before to start failing.
SIGUSR1 dumps some state to the log.
NEW FILES:
src/Makefile.DGUX
src/Makefile.Dynix
src/Makefile.FreeBSD
src/Makefile.Mach386
src/Makefile.NetBSD
src/Makefile.RISCos
src/Makefile.SCO
src/Makefile.SVR4
src/Makefile.Titan
cf/mailer/pop.m4
cf/ostype/bsdi1.0.m4
cf/ostype/dgux.m4
cf/ostype/dynix3.2.m4
cf/ostype/sco3.2.m4
makemap/Makefile.dist
praliases/Makefile.dist
8.6.4/8.6.4 93/10/31
Repair core-dump problem (write to read-only memory segment)
if you fall back to the return-to-Postmaster case in
savemail. Problem reported by Richard Liu.
Immediately diagnose bogus sender addresses in SMTP. This
makes quite certain that crackers can't use this
class of attack.
Reliability Fix: check return value from fclose() and fsync()
in a few critical places.
Minor problem in initsys() that reversed a condition for
redirecting the output channel on queue runs. It's
not clear this code even does anything. From Eric
Wassenaar of the Dutch National Institute for Nuclear
and High-Energy Physics.
Fix some problems that caused queue runs to do "too much work",
such as double-reading the Errors-To: header. From
Eric Wassenaar.
Error messages on writing the temporary file (including the
data file) were getting suppressed in SMTP -- this
fix causes them to be properly reported. From Eric
Wassenaar.
Some changes to support AF_UNIX sockets -- this will only
really become relevant in the next release, but some
people need it for local patches. From Michael
Corrigan of UC San Diego.
Use dynamically allocated memory (instead of static buffers)
for macros defined in initsys() and settime(); since
these can have different values depending on which
envelope they are in. From Eric Wassenaar.
Improve logging to show ctladdr on to= logging; this tells you
what uid/gid processes ran as.
Fix a problem that caused error messages to be discarded if
the sender address was unparseable for some reason;
this was supposed to fall back to the "return to
postmaster" case.
Improve aliaswait backoff algorithm.
Portability patches for Linux (8.6.3 required another header
file) (from Karl London) and SCO UNIX.
CONFIG: patch prog mailer to not strip host name off of envelope
addresses (so that it matches local again). From
Christopher Davis.
CONFIG: change uucp-dom mailer so that "<>" translates to $n;
this prevents uux from seeing lines with null names like
``From Sat Oct 30 14:55:31 1993''. From Motonori
Nakamura of Kyoto University.
CONFIG: handle <list:;> syntax correctly. This isn't legal, but
it shouldn't fail miserably. From Motonori Nakamura.
8.6.2/8.6.2 93/10/15
Put a "successful delivery" message in the transcript for
addresses that get return-receipts.
Put a prominent "this is only a warning" message in warning
messages -- some people don't read carefully enough
and end up sending the message several times.
Include reason for temporary failure in the "warning" return
message. Currently, it just says "cannot send for
four hours".
Fix the "Original message received" time generated for
returntosender messages. It was previously listed as
the current time. Bug reported by Eric Hagberg of
Cornell University Medical College.
If there is an error when writing the body of a message,
don't send the trailing dot and wait for a response
in sender SMTP, as this could cause the connection to
hang up under some bizarre circumstances. From Eric
Wassenaar.
Fix some server SMTP synchronization problems caused when
connections fail during message collection. From
Eric Wassenaar.
Fix a problem that can cause srvrsmtp to reject mail if the
name server is down -- it accepts the RCPT but rejects
the DATA command. Problem reported by Jim Murray of
Stratus.
Fix a problem that can cause core dumps if the config file
incorrectly resolves to a null hostname. Reported by
Allan Johannesen of WPI.
Non-root use of -C flag, dangerous -f flags, and use of -oQ
by non-root users were not put into
X-Authentication-Warning:s as intended because the
config file hadn't set the PrivacyOptions yet. Fix
from Sven-Ove Westberg of the University of Lulea.
Under very odd circumstances, the alias file rebuild code
could get confused as to whether a database was
open or not.
Check "vendor code" on the end of V lines -- this is
intended to provide a hook for vendor-specific
configuration syntax. (This is a "new feature",
but I've made an exception to my rule in a belief
that this is a highly exceptional case.)
Portability fixes for DG/UX (from Douglas Anderson of NCSC),
SCO Unix (from Murray Kucherawy), A/UX, and OSF/1
(from Jon Forrest of UC Berkeley)
CONFIG: fix ``mailer:host'' form of UUCP relay naming.
8.6.1/8.6 93/10/08
Portability fixes for A/UX and Encore UMAX V.
Fix error message handling -- if you had a name server down
causing an error during parsing, that message was never
propagated to the queue file.
8.6/8.6 93/10/05
Configuration cleanup: make it easier to undo IDENTPROTO in
conf.h (other systems have the same bug).
If HASGETDTABLESIZE and _SC_OPEN_MAX are both defined, assume
getdtablesize() instead of sysconf(); a disturbingly
large number of systems defined _SC_OPEN_MAX in the
header files but don't have the syscall.
Another patch to really truly ignore MX records in getcanonname
if trymx == FALSE.
Fix problem that caused the "250 IAA25499 Message accepted for
delivery" message to be omitted if there was an error
in the header of the message (e.g., a bad Errors-To:
line). Pointed out by Michael Corrigan of UCSD.
Announce name of host we are chatting when we get errors; this
is an IDA-ism suggested by Christophe Wolfhugel.
Portability fixes for Alpha OSF/1 (from Anthony Baxter of the
Australian Artificial Intelligence Institute), SCO Unix
(from Murray Kucherawy of Hookup Communication Corp.),
NeXT (from Vince DeMarco and myself), Linux (from
Karl London <karl@borg.demon.co.uk>), BSDI (from
Christophe Wolfhugel, and SVR4 on Dell (from Kimmo
Suominen), AUX 3.0 on Macintosh, and ANSI C compilers.
Some changes to get around gcc optimizer bugs. From Takahiro
Kanbe.
Fix error recovery in queueup if another tf file of the same
name already exists. Problem stumbled over by Bill
Wisner of The Well.
Output YP_MASTER_NAME and YP_LAST_MODIFIED without null bytes.
Problem noted by Keith McMillan of Ameritech Services.
Deal with group permissions properly when opening .forward and
:include: files. This relaxes the 8.1C restrictions
slightly more. This includes proper setting of groups
when reading :include: files, allowing you to read some
files that you should be able to read but have previously
been denied unless you owned them or they had "other"
read permission.
Make certain that $j is in $=w (after the .cf is read) so that
if the user is forced to override some silly system,
MX suppression will still work.
Fix a couple of efficiency problems where newstr was double-
calling expensive routines. In at least one case, it
wasn't guaranteed that they would always return the
same result. Problem noted by Christophe Wolfhugel.
Fix null pointer dereference in putoutmsg -- only on an error
condition from a non-SMTP mailer. From Motonori
Nakamura.
Macro expand "C" line class definitions before scanning so that
"CX $Z" works.
Fix problem that caused error message to be sent while still
trying to send the original message if the connection
is closed during a DATA command after getting an error
on an RCPT command (pretty obscure). Problem reported
by John Myers of CMU.
Fix reply to NOOP to be 250 instead of 200 -- this is a long
term bug.
Fix a nasty bug causing core dumps when returning the "warning:
cannot deliver for N hours -- will keep trying" message;
it only occurred if you had PostmasterCopy set and
only on some architectures. Although sendmail would
keep trying, it would send error messages on each
queue interval. This is an important fix.
Allow u and g options to take user and group names respectively.
Don't do a chdir into the queue directory in -bt mode to make
ruleset testing a bit easier.
Don't allow users to turn off logging (using -oL) on the command
line -- command line can only raise, not lower, logging
level.
Set $u to the original recipient on the SMTP transaction or on
the command line. This is only done if there is exactly
one recipient. Technically, this does not meet the
specs, because it does not guarantee a domain on the
address.
Fix a problem that dumped error messages on bad addresses if
you used the -t flag. Problem noted by Josh Smith of
Harvey Mudd College.
Given an address such as ``<foo> <bar>'', auto-quote the first
``<foo>'' part, giving ``"<foo>" <bar>''. This is to
avoid the problem of people who use angle brackets in
their full name information.
Fix a null pointer dereference if you set option "l", have
an Errors-To: header in the message, and have Errors-To:
defined in the config file H lines. From J.R. Oldroyd.
Put YPCOMPAT on #ifdef NIS instead -- it's one less thing to get
wrong when compiling. Suggested by Rick McCarty of TI.
Fix a problem that could pass negative SIZE parameter if the
df file got lost; this would cause servers to always
give a temporary failure, making the problem even worse.
Problem noted by Allan Johannesen of WPI.
Add "ident" timeout (one of the "r" option selectors) for IDENT
protocol timeouts (30s default). Requested by Murray
Kucherawy of HookUp Communication Corp. to handle bogus
PC TCP/IP implementations.
Change $w default definition to be just the first component of
the domain name on config level 5. The $j macro defaults
to the FQDN; $m remains as before. This lets well-behaved
config files use any of the short, long, or subdomain
names.
Add makesendmail script in src to try to automate multi-architecture
builds. I know, this is sub-optimal, but it is still
helpful.
Fix very obscure race condition that can cause a queue run to
get a queue file for an already completed job. This
problem has existed for years. Problem noted by the
long suffering Allan Johannesen of WPI.
Fix a problem that caused the raw sender name to be passed to
udbsender instead of the canonified name -- this caused
it to sometimes miss records that it should have found.
Relax check of name on HELO packet so that a program using -bs
that claims to be itself works properly.
Restore rewriting of $: part of address through 2, R, 4 in
buildaddr -- this requires passing a lot of flags to get
it right. Unlike old versions, this ONLY rewrites
recipient addresses, not sender addresses.
Fix a bug that caused core dumps in config files that cannot
resolve /file/name style addresses. Fix from Jonathan
Kamens of OpenVision Technologies.
Fix problem with fcntl locking that can cause error returns to
be lost if the lock is lost; this required fully
queueing everything, dropping the envelope (so errors
would get returned), and then re-reading the queue from
scratch.
Fix a problem that caused aliases that redefine an otherwise
true address to still send to the original address
if and only if the alias failed in certain bizarre
ways (e.g, if they pointed at a list:; syntax address).
Problem pointed out by Jonathan Kamens.
Remove support for frozen configuration files. They caused
more trouble than it was worth.
Fix problem that can cause error messages to get ignored when
using both -odb and -t flags. Problem noted by Rob
McNicholas at U.C. Berkeley.
Include all "normal" variations on hostname in $=w. For example,
if the host name is vangogh.cs.berkeley.edu, $=w will
contain vangogh, vangogh.cs, and vangogh.cs.berkeley.edu.
Add "restrictqrun" privacy flag -- without this, anyone can run
the queue.
Reset SmtpPhase global on initial connection creation so that
messages don't come out with stale information.
Pass an "ext" argument to lockfile so that error/log messages
will properly reflect the true filename being locked.
Put all [...] address forms into $=w -- this eliminates the need
for MAXIPADDR in conf.h. Suggested by John Gardiner
Myers of CMU.
Fix a bug that can cause qf files to be left around even after
an SMTP RSET command. Problem and fix from Michael
Corrigan.
Don't send a PostmasterCopy to errors when the Precedence: is
negative. Error reports still go to the envelope
sender address.
Add LA_SHORT for load averages.
Lock sendmail.st file when posting statistics.
Add "SendBufSize" and "RcvBufSize" suboptions to "O" option to
set the size of the TCP send and receive buffers; if you
run over a slow slip line you may need to set these down
(although it would be better to fix the SLIP implementation
so that it's not necessary to recompile every program
that does bulk data transfer).
Allow null defaults on $( ... $) lookups. Problem reported by
Amir Plivatsky.
Diagnose crufty S and V config lines. This resulted from an
observation that some people were using the SITE macro
without the SITECONFIG macro first, which was causing
bogus config files that were not caught.
Fix makemap -f flag to turn off case folding (it was turning it
on instead). THIS IS A USER VISIBLE CHANGE!!!
Fix a problem that caused multiple error messages to be sent if
you used "sendmail -t -oem -odb", your system uses fcntl
locking, and one of the recipient addresses is unknown.
Reset uid earlier in include() so that recursive .forwards or
:include:s don't use the wrong uid.
If file descriptor 0, 1, or 2 was closed when sendmail was
called, the code to recover the descriptor was broken.
This sometimes (only sometimes) caused problems with the
alias file. Fix from Motonori Nakamura.
Fix a problem that caused aliaswait to go into infinite recursion
if the @:@ metasymbol wasn't found in the alias file.
Improve error message on newaliases if database files cannot be
opened or if running with no database format defined.
Do a better estimation of the size of error messages when NoReturn
is set. Problem noted by P{r (Pell) Emanuelsson.
Fix a problem causing the "c" option (don't connect to expensive
mailers) to be ignored in SMTP. Problem noted and the
solution suggested by Robert Elz of The University of
Melbourne.
Improve connection caching algorithm by passing "[host]" to
hostsignature, which strips the square brackets and
returns the real name. This allows mailertable entries
to match regular entries.
Re-enable Return-Receipt-To: -- people seem to want this stupid
feature, even if it doesn't work right.
Catch and log attempts to try the "wiz" command in server SMTP.
This also ups the log level from LOG_NOTICE to LOG_CRIT.
Be more generous at assigning $z to the home directory -- do this
for programs that are specified through a .forward file.
Fix from Andrew Chang of Sun Microsystems.
Always save a fatal error message in preference to a non-fatal
error message so that the "subject" line of return
messages is the best possible.
CONFIG: reduce the number of quotes needed to quote configuration
parameters with commas: two quotes should work now, e.g.,
define(ALIAS_FILE, ``/etc/aliases,/etc/aliases.local'').
CONFIG: class $=Z is a set of UUCP hosts that use uucp-dom
connections (domain-ized UUCP).
CONFIG: fix bug in default maps (-o must be before database file
name). Pointed out by Christophe Wolfhugel.
CONFIG: add FEATURE(nodns) to state that we are not relying on
DNS. This would presumably be used in UUCP islands.
CONFIG: add OSTYPE(nextstep) and OSTYPE(linux).
CONFIG: log $u in Received: line. This is in technical violation
of the standards, since it doesn't guarantee a domain
on the address.
CONFIG: don't assume "m" in local mailer flags -- this means that
if you redefine LOCAL_MAILER_FLAGS you will have to include
the "m" flag should you want it. Apparently some Solaris 2.2
installations can't handle multiple local recipients.
Problem noted by Josh Smith.
CONFIG: add confDOMAIN_NAME to set $j (if undefined, $j defaults).
CONFIG: change default version level from 4 to 5.
CONFIG: add FEATURE(nullclient) to create a config file that
forwards all mail to a hub without ever looking at the
addresses in any detail.
CONFIG: properly strip mailer: information off of relays when
used to change .BITNET form into %-hack form.
CONFIG: fix a problem that caused infinite loops if presented
with an address such as "!foo".
CONFIG: check for self literal (e.g., [128.32.131.12]) even if
the reverse "PTR" mapping is broken. There's a better
way to do this, but the change is fairly major and I
want to hold it for another release. Problem noted by
Bret Marquis.
8.5/8.5 93/07/23
Serious bug: if you used a command line recipient that was unknown
sendmail would not send a return message (it was treating
everything as though it had an SMTP-style client that
would do the return itself). Problem noted by Josh Smith.
Change "trymx" option in getcanonname() to ignore all MX data,
even during a T_ANY query. This actually didn't break
anything, because the only time you called getcanonname
with !trymx was if you already knew there were no MX
records, but it is somewhat cleaner. From Motonori
Nakamura.
Don't call getcanonname from getmxrr if you already know there
are no DNS records matching the name.
Fix a problem causing error messages to always include "The
original message was received ... from localhost".
The correct original host information is now included.
Previous change to cf/sh/makeinfo.sh doesn't port to Ultrix (their
version of "test" doesn't have the -x flag). Change it
to use -f instead. From John Myers.
CONFIG: 8.4 mistakenly set the default SMTP-style mailer to
esmtp -- it should be smtp.
CONFIG: send all relayed mail using confRELAY_MAILER (defaults
to "relay" (a variant of "smtp") if MAILER(smtp) is used,
else "suucp" if MAILER(uucp) is used, else "unknown");
this cleans up the configs somewhat. This fixes a serious
problem that caused route-addrs to get mistaken as relays,
pointed out by John Myers. WARNING: this also causes
the default on SMART_HOST to change from "suucp" to
"relay" if you have MAILER(smtp) specified.
8.4/8.4 93/07/22
Add option `w'. If you receive a message that comes to you because
you are the best (lowest preference) target of an MX, and
you haven't explicitly recognized the source MX host in
your .cf file, this option will cause you to try the target
host directly (as if there were no MX for it at all). If
`w' is not set, this case is a configuration error.
Beware: if `w' is set, senders may get bogus errors like
"message timed out" or "host unknown" for problems that
are really configuration errors. This option is
disrecommended, provided only for compatibility with
UIUC sendmail.
Fix a problem that caused the incoming socket to be left open
when sendmail forks after the DATA command. This caused
calling systems to wait in FIN_WAIT_2 state until the
entire list was processed and the child closed -- a
potentially prodigious amount of time. Problem noted
by Neil Rickert.
Fix problem (created in 6.64) that caused mail sent to multiple
addresses, one of which was a bad address, to completely
suppress the sending of the message. This changes
handling of EF_FATALERRS somewhat, and adds an
EF_GLOBALERRS flag. This also fixes a potential problem
with duplicate error messages if there is a syntax error
in the header of a message that isn't noticed until late
in processing. Original problem pointed out by Josh Smith
of Harvey Mudd College. This release includes quite a bit
of dickering with error handling (see below).
Back out SMTP transaction if MAIL gets nested 501 error. This
will only hurt already-broken software and should help
humans.
Fix a problem that broke aliases when neither NDBM nor NEWDB were
compiled in. It would never read the alias file.
Repair unbalanced `)' and `>' (the "open" versions are already
repaired).
Logging of "done" in dropenvelope() was incorrect: it would
log this even when the queue file still existed. Change
this to only log "done" (at log level 11) when the
queue file is actually removed. From John Myers.
Log "lost connection" in server SMTP at log level 20 if there
is no pending transaction. Some senders just close the
connection rather than sending QUIT.
Fix a bug causing getmxrr to add a dot to the end of unqualified
domains that do not have MX records -- this would cause
the subsequent host name lookup to fail. The problem
only occurred if you had FEATURE(nocanonify) set.
Problem noted by Rick McCarty of Texas Instruments.
Fix invocation of setvbuf when passed a -X flag -- I had
unwittingly used an ANSI C extension, and this caused
core dumps on some machines.
Diagnose self-destructive alias loops on RCPT as well as EXPN.
Previously it just gave an empty send queue, which
then gave either "Need RCPT (recipient)" at the DATA
(confusing, since you had given an RCPT command which
returned 250) or just dropped the email, depending on
whether you were running VERBose mode. Now it usually
diagnoses this case as "aliasing/forwarding loop broken".
Unfortunately, it still doesn't adequately diagnose
some true error conditions.
Add internal concept of "warning messages" using 6xx codes.
These are not reported only to Postmaster. Unbalanced
parens, brackets, and quotes are printed as 653 codes.
They are always mapped to 5xx codes before use in SMTP.
Clean up error messages to tell both the actual address that
failed and the alias they arose from. This makes it
somewhat easier to diagnose problems. Difficulty noted
by Motonori Nakamura.
Fix a problem that inappropriately added a ctladdr to addresses
that shouldn't have had one during a queue run. This
caused error messages to be handled differently during
a queue run than a direct run.
Don't print the qf name and line number if you get errors during
the direct run of the queue from srvrsmtp -- this was
just extra stuff for users to crawl through.
Put command line flags on second line of pid file so you can
auto-restart the daemon with all appropriate arguments.
Use "kill `head -1 /etc/sendmail.pid`" to stop the
daemon, and "eval `tail -1 /etc/sendmail.pid`" to
restart it.
Remove the ``setuid(getuid())'' in main -- this caused the
IDENT daemon to screw up. This required that I change
HASSETEUID to HASSETREUID and complicate the mode
changing somewhat because both Ultrix and SunOS seem
to have a bug causing seteuid() to set the saved uid
as well as the effective. The program test/t_setreuid.c
will test to see if your implementation of setreuid(2)
is appropriately functional.
The FallBackMX (option V) handling failed to properly identify
fallback to yourself -- most of the code was there,
but it wasn't being enabled. Problem noted by Murray
Kucherawy of the University of Waterloo.
Change :include: open timeout from ETIMEDOUT to an internal
code EOPENTIMEOUT; this avoids adding "during SmtpPhase
with CurHostName" in error messages, which can be
confusing. Reported by Jonathan Kamens of OpenVision
Technologies.
Back out setpgrp (setpgid on POSIX systems) call to reset the
process group id. The original fix was to get around
some problems with recalcitrant MUAs, but it breaks
any call from a shell that creates a process group id
different from the process id. I could try to fix
this by diddling the tty owner (using tcsetpgrp or
equivalent) but this is too likely to break other
things.
Portability changes:
Support -M as equivalent to -oM on Ultrix -- apparently
DECnet calls sendmail with -MrDECnet -Ms<HOST> -bs
instead of using standard flags. Oh joy. This
behavior reported by Jon Giltner of University
of Colorado.
SGI IRIX -- this includes several changes that should
help other strict ANSI compilers.
SCO Unix -- from Murray Kucherawy of HookUp Communication
Corporation.
Solaris running the Sun C compiler (which despite the
documentation apparently doesn't define
__STDC__ by default).
ConvexOS from Eric Schnoebelen of Convex.
Sony NEWS workstations and Omron LUNA workstations from
Motonori Nakamura.
CONFIG: add confTRY_NULL_MX_LIST to set option `w'.
CONFIG: delete `C' and `e' from default SMTP mailers flags;
several people have made a good argument that this
creates more problems than it solves (although this
may prove painful in the short run).
CONFIG: generalize all the relays to accept a "mailer:host"
format.
CONFIG: move local processing in ruleset 0 into a new ruleset
98 (8 on old sendmail). Domain literal [a.b.c.d]
addresses are also passed through this ruleset.
CONFIG: if neither SMART_HOST nor MAILER(smtp) were defined,
internet-style addresses would "fall off the end" of
ruleset zero and be interpreted as local -- however,
the angle brackets confused the recursive call.
These are now diagnosed as "Unrecognized host name".
CONFIG: USENET rules weren't included in S0 because of a mistaken
ifdef(`_MAILER_USENET_') instead of
ifdef(`_MAILER_usenet_'). Problem found by Rein Tollevik
of SINTEF RUNIT, Oslo.
CONFIG: move up LOCAL_RULE_0 processing so that it happens very
early in ruleset 0; this allows .mc authors to bypass
things like the "short circuit" code for local addresses.
Prompted by a comment by Bill Wisner of The Well.
CONFIG: add confSMTP_MAILER to define the mailer used (smtp or
esmtp) to send SMTP mail. This allows you to default
to esmtp but use a mailertable or other override to
deal with broken servers. This logic was pointed out
to me by Bill Wisner. Ditto for confLOCAL_MAILER.
Changes to cf/sh/makeinfo.sh to make it portable to SVR4
environments. Ugly as sin.
8.3/8.3 93/07/13
Fix setuid problems introduced in 8.2 that caused messages
like "Cannot create qfXXXXXX: Invalid argument"
or "Cannot reopen dfXXXXXX: Permission denied". This
involved a new compile flag "HASSETEUID" that takes
the place of the old _POSIX_SAVED_IDS -- it turns out
that the POSIX interface is broken enough to break
some systems badly. This includes some fixes for
HP-UX. Also fixes problems where the real uid is
not reset properly on startup (from Neil Rickert).
Fix a problem that caused timed out messages to not report the
addresses that timed out. Error messages are also more
"user friendly".
Drop required bandwidth on connections from 64 bytes/sec to
16 bytes/sec.
Further Solaris portability changes -- doesn't require the BSD
compatibility library. This also adds a new
"HASGETDTABLESIZE" compile flag which can be used if
you want to use getdtablesize(2) instead of sysconf(2).
These are loosely based on changes from David Meyer at
University of Oregon. This now seems to work, at least
for quick test cases.
Fix a problem that can cause duplicate error messages to be
sent if you are in SMTP, you send to multiple addresses,
and at least one of those addresses is good and points
to an account that has a .forward file (whew!).
Fix a problem causing messages to be discarded if checkcompat()
returned EX_TEMPFAIL (because it didn't properly mark
the "to" address). Problem noted by John Myers.
Fix dfopen to return NULL if the open failed; I was depending
on fdopen(-1) returning NULL, which isn't the case. This
isn't serious, but does result in weird error diagnoses.
From Michael Corrigan.
CONFIG: add UUCP_MAX_SIZE M4 macro to set the maximum size of
messages sent through UUCP-family mailers. Suggested
by Bill Wisner of The Well.
CONFIG: if both MAILER(uucp) and MAILER(smtp) are specified,
include a "uucp-dom" mailer that uses domain-style
addressing. Suggested by Bill Wisner.
CONFIG: Add LOCAL_SHELL_FLAGS and LOCAL_SHELL_ARGS to match
LOCAL_MAILER_FLAGS and LOCAL_MAILER_ARGS. Suggested by
Christophe Wolfhugel.
CONFIG: Add OSTYPE(aix3). From Christophe Wolfhugel.
8.2/8.2 93/07/11
Don't drop out on config file parse errors in -bt mode.
On older configuration files, assume option "l" (use Errors-To
header) for back compatibility. NOTE: this DOES NOT
imply an endorsement of the Errors-To: header in any way.
Accept -x flag on AIX-3 as well as OSF/1. Why, why, why???
Don't log errors on EHLO -- it isn't a "real" error for an old
SMTP server to give an error on this command, and
logging it in the transcript can be confusing. Fix
from Bill Wisner.
IRIX compatibility changes provided by Dan Rich
<drich@sandman.lerc.nasa.gov>.
Solaris 2 compatibility changes. Provided by Bob Cunningham
<bob@kahala.soest.hawaii.edu>, John Oleynick
<juo@klinzhai.rutgers.edu>
Debugging: -d17 was overloaded (hostsignature and usersmtp.c);
move usersmtp (smtpinit and smtpmailfrom) to -d18 to
match the other flags in that file.
Flush transcript before fork in mailfile(). From Eric Wassenaar.
Save h_errno in mci struct and improve error message display.
Changes from Eric Wassenaar.
Open /dev/null for the transcript if the create of the xf file
failed; this avoids at least one possible null pointer
reference in very weird cases. From Eric Wassenaar.
Clean up statistics gathering; it was over-reporting because of
forks. From Eric Wassenaar.
Fix problem that causes old Return-Path: line to override new
Return-Path: line (conf.c needs H_FORCE to avoid
re-using old value). From Motonori Nakamura.
Fix broken -m flag in K definition -- even if -m (match only)
was specified, it would still replace the key with the
value. Noted by Rick McCarty of Texas Instruments.
If the name server timed out over several days, no "timed out"
message would ever be sent back. The timeout code
has been moved from markfailure() to dropenvelope()
so that all such failures should be diagnosed. Pointed
out by Christophe Wolfhugel and others.
Relax safefile() constraints: directories in an include or
forward path must be readable by self if the controlling
user owns the entry, readable by all otherwise (e.g.,
when reading your .forward file, you have to own and
have X permission in it; everyone needs X permission in
the root and directories leading up to your home);
include files must be readable by anyone, but need not
be owned by you.
If _POSIX_SAVED_IDS is defined, setuid to the owner before
reading a .forward file; this gets around some problems
on NFS mounts if root permission is not exported and
the user's home directory isn't x'able.
Additional NeXT portability enhancements from Axel Zinser.
Additional HP-UX portability enhancements from Brian Bullen.
Add a timeout around SMTP message writes; this assumes you can
get throughput of at least 64 bytes/second. Note that
this does not impact the "datafinal" default, which
is separate; this is just intended to work around
network clogs that will occur before the final dot
is sent. From Eric Wassenaar.
Change map code to set the "include null" flag adaptively --
it initially tries both, but if it finds anything
matching without a null it never tries again with a
null and vice versa. If -N is specified, it never
tries without the null and creates new maps with a
null byte. If -O is specified, it never tries with
the null (for efficiency). If -N and -O are specified,
you get -NO (get it?) lookup at all, so this would
be a bad idea. If you don't specify either -N or -O,
it adapts.
Fix recognition of "same from address" so that MH submissions
will insert the appropriate full name information;
this used to work and got broken somewhere along the
way.
Some changes to eliminate some unnecessary SYSERRs in the
log. For example, if you lost a connection, don't
bother reporting that fact on the connection you lost.
Add some "extended debugging" flags to try to track down
why we get occasional problems with file descriptor
one being closed when execing a mailer; it seems to
only happen when there has been another error in the
same transaction. This requires XDEBUG, defined
by default in conf.h.
Add "-X filename" command line flag, which logs both sides of
all SMTP transactions. This is intended ONLY for
debugging bad implementations of other mailers; start
it up, send a message from a mailer that is failing,
and then kill it off and examine the indicated log.
This output is not intended to be particularly human
readable. This also adds the HASSETVBUF compile
flag, defaulted on if your compiler defines __STDC__.
CONFIG: change SMART_HOST to override an SMTP mailer. If you
have a local net that should get direct connects, you
will need to use LOCAL_NET_CONFIG to catch these hosts.
See cf/README for an example.
CONFIG: add LOCAL_MAILER_ARGS (default: `mail -d $u') to handle
sites that don't use the -d flag.
CONFIG: hide recipient addresses as well as sender addresses
behind $M if FEATURE(allmasquerade) is specified; this
has been requested by several people, but can break
local aliases. For example, if you mail to "localalias"
this will be rewritten as "localalias@masqueradehost";
although initial delivery will work, replies will be
broken. Use it sparingly.
CONFIG: add FEATURE(domaintable). This maps unqualified domains
to qualified domains in headers. I believe this is
largely equivalent to the IDA feature of the same name.
CONFIG: use $U as UUCP name instead of $k. This permits you
to override the "system name" as your UUCP name --
in particular, to use domain-ized UUCP names. From
Bill Wisner of The Well.
CONFIG: create new mailer "esmtp" that always tries EHLO
first. This is currently unused in the config files,
but could be used in a mailertable entry.
8.1C/8.1B 93/06/27
Serious security bug fix: it was possible to read any file on
the system, regardless of ownership and permissions.
If a subroutine returns a fully qualified address, return it
immediately instead of feeding it back into rewriting.
This fixes a problem with mailertable lookups.
CONFIG: fix some M4 frotz (concat => CONCAT)
8.1B/8.1A 93/06/12
Serious bug fix: pattern matching backup algorithm stepped by
two tokens in classes instead of one. Found by Claus
Assmann at University of Kiel, Germany.
8.1A/8.1A 93/06/08
Another mailertable fix....
8.1/8.1 93/06/07
4.4BSD freeze. No semantic changes.
6.65/6.34 93/06/06
Fix some lintish problems.
Fix some cases where server SMTP behaved poorly when handed bogus
input, pointed out by Eric Wassenaar.
CONFIG: fix some more (sigh) mailertable bugs -- thanks to
Motonori Nakamura of Kyoto University (again).
6.64/6.33 93/06/05
Don't send 050 (-v) information after the 250 response to a QUIT
command in srvrsmtp -- clients usually close the connection
at this point, and it causes bogus error messages.
Don't send messages that have errors on input (such as unbalanced
parentheses) during SMTP transactions, since a return
message has (probably) already been sent.
Give better diagnostics on timeouts during network reads, including
information similar to the SMTP phase.
Fix bug that caused SMTP messages to deliver synchronously; this
happened after the DATA 250, and hence caused reading the
next command to be delayed.
Ignore Errors-To: header unless 'l' (lower case el) header is
specified. The Errors-To: header violates RFC 1123.
Errors-To: was only needed to take the place of the
envelope sender in the days when most Unix mailers
didn't understand about the two kinds of senders.
Don't send warning messages in response to automatically generated
messages (that is, those From:<>).
CONFIG: fix some rather stupid typos in the mailertable code
pointed out by Motonori Nakamura of Kyoto University.
CONFIG: add confUSE_ERRORS_TO configuration option.
CONFIG: if ALWAYS_ADD_DOMAIN is selected, try to use $M
(masquerade name) instead of $j.
CONFIG: don't add dots to relay names (added in 6.29); it breaks
several things, and can be simulated by dot terminating
the names of relays. For example, use:
DBbit.net.relay.
(note the trailing dot).
6.63/6.32 93/06/01
Fix prototypes to eliminate chars in argument lists -- some
compilers are pissy about this.
Log protocol ($r) and body type if set so we can determine if
the adaptive algorithms are working.
Pessimize on locking of database files (particularly for NEWDB
databases) during opens. There were problems with
processes opening the file while it was rebuilt; since
NEWDB caches heavily, the reader opened an empty file,
which is an error. If your system has the ability to
lock atomically on open, this works properly; otherwise,
there are race conditions.
Check mod time on .pag file instead of .dir in NDBM aliases
because the .dir file doesn't get updated for small
alias files. From John Gardiner Myers of CMU.
More Solaris portability -- it now compiles on Solaris, but
hangs up in gethostbyname().
Move setting of RES_DEBUG flag before first myhostname() call
so we can see name server traffic on that call.
Fsync() queue files.
Fix a problem that causes -bi to try to rebuild maps other than
the alias file(s).
Fix a problem that caused udb to reject entries from any but
the first database listed.
Rearrange doc subdirectory for 4.4BSD release tape.
CONFIG: put $r into the Received line. This was an oversight.
CONFIG: fix typo (call to ruleset 99 should have been ruleset 90).
CONFIG: move "auxiliary" subroutines to be in ruleset 90-99
range -- in the long run, single digit rulesets may
become reserved for builtin use by sendmail.
CONFIG: fix major problem that causes host aliases (that is,
anything in $=w != $j) to not be recognized. This has
been around since 6.30.
6.62/6.31 93/05/28
BETA RELEASE
Fix recursive syserr (if there is an error printing a syserr
message). This makes the code much less eager to consider
a write error as serious. This also includes some
heuristics to be clever about closed connections.
Lock NEWDB files during gets. This requires version 1.5 or later
of the db library. If you have an older version, you
can use -DOLD_NEWDB. This will go away in a few weeks.
Fix problem causing aliases that use host maps to get overwritten.
Do appropriate byte swapping on port numbers in ident protocol
code. Fix from Allan Johannesen of WPI.
Defer opening of map files to the same time as alias files so that
the daemon will tend to pick up new versions more promptly.
Prototype a bunch more functions.
Some Solaris 2.1 changes (still doesn't link though).
Try to simplify Makefiles by including more subordinate #defines
in conf.h (based on OS type).
CONFIG: check for domains if FEATURE(mailertable) is defined.
For example, if the host name is "knecht.cs.berkeley.edu"
it will search the following mailertable keys:
knecht.cs.berkeley.edu
.cs.berkeley.edu
.berkeley.edu
.edu
This could be used to replace the special relays for bitnet
and similar nets.
6.61/6.30 93/05/24
Fix problem that prevented appending dots on canonified host
names. This breaks tons of config files -- very
important fix.
Fix improper pointer dereference in response to HELO command.
Fix core dump if debugging set in map_rewrite.
CONFIG: add FEATURE(always_add_domain) to always attach the
local domain (only impacts local mail).
CONFIG: try to avoid turning names into $j -- although
technically a host can only have one "canonical name",
it seems to be common practice to have several.
6.60/6.29 93/05/22
Major change: merge alias databases with maps. This expands and
changes the map class interface but fixes a bunch of bugs.
The important user-visible change is that the file name
in a K line now does not include the ".db" extension; this
is added automatically. Also, the -d (NIS domain) flag is
missing from the K config line; use @domain instead.
When compiling, the *_MAP names are gone -- just compile
in NDBM, NEWDB, and/or NIS support.
Announce mailer/host/user triple on -bv flag -- from Brian
Bullen of Stirling University.
Don't send more than one line in response to HELO -- it confuses
Pony Express, which then behaves very badly. However,
this change does send two line 220 greetings, with the
second line reading "ESMTP spoken here". The usersmtp
module recognizes this and goes into ESMTP mode regardless
of the setting of the "a" mailer flag. Thus, "a" means
"always try EHLO".
AIX portability changes (thanks to Christophe Wolfhugel of
Herve Schauer Consultants (Paris) for providing me with
an INSA account for this purpose). Lightly tested. Use
-D_AIX3. This probably breaks compatibility with some
older systems (e.g., 4.2bsd) but still works on SunOS
4.1.2, Ultrix 4.2A, HP-UX 8.07, OSF/1 T1.3, and AIX 3.2.3.
Fix a problem causing an error message loop if the output channel
is hosed.
Add the Makefiles that I use for various environments -- some are
Berkeley make versions and some are old make versions.
My makefile for the NeXT box has gotten lost, alas!
PRALIASES: support for printing NEWDB databases. From
Michael J. Corrigan of U.C. San Diego.
CONFIG: don't pass pseudo-domains to $[ ... $] (if you have
a wildcard MX it can have weird results). From
Christophe Wolfhugel.
CONFIG: dot terminate relay hostnames in S0. From Christophe
Wolfhugel.
6.59/6.28 93/05/13
Log version with SMTP daemon startup message.
Adjust setproctitle to work on NetBSD and BSD/386.
Fix null pointer reference in MX fallback code.
A bunch of minor fixes from Eric Wassenaar:
If deliver cannot execv the mailer, return EX_OSERR
instead of EX_TEMPFAIL (to give better
error messages).
Consistently malloc e_message.
Catch degenerate case of calling returntosender()
with an empty returnq.
MIME reformatting.
6.58/6.28 93/05/13
Fix bug that can cause incorrect verbose display of user smtp
messages.
Disable SMTP VERB command if PRIV_NOEXPN is set (since this
could reveal the same information.
Allow failure when reading SMTP greeting message to go on to
next MX host.
Add "MIME-Version: 1.0" header if using MIME (this was NOT
included in RFC 1344, but Bill King of Allan-Bradley
Company forwarded me email from Nathaniel Borenstein
claiming that it was an inadvertent omission).
Don't use Content-Type: X-message-header. According to John
Myers of CMU, many MIME readers will completely ignore
the data if they don't recognize it. Instead, just
add a blank line to make it a legal (empty) message.
Fix problem causing dots to keep getting appended to cached
hostnames. This can cause buffer overrun conditions.
The problem was found by Erik Forsberg of Retix,
although I used a different bug fix than he provided.
Fix parsing of split header/envelope rewriting specs -- from
Eric Forsberg.
Fix from Eric Wassenaar to correct To: lists in error messages.
6.57/6.28 93/05/11
Fix minor glitch causing extra ctladdrs to be output to queue
file. Just an annoyance.
Cache results of name server canonification lookups to avoid
backed up queue runs.
Major rewrite of alias.c: considerable cleanup, plus sample
(untested) support for NIS aliases. The "A" option
can now be a comma separated list (or be repeated) --
that is, you can have multiple alias databases. Each
database can have the syntax ``class:file''; if no class
is specified, the "implicit" class is assumed. Implicit
searches through a list of compiled in types -- hash,
dbm, nis, and stab. Alias files are searched in the
order they are listed. For example:
OAhash:/etc/aliases.local,/etc/aliases
OAnis:mail.aliases@my.nis.domain
first searches the hash database /etc/aliases.local,
then the regular /etc/aliases database, then the NIS
map "mail.aliases" in the NIS domain "my.nis.domain".
If in Verbose mode (probably from VERB command) run SMTP job
in foreground and don't do RCPT optimizations.
Add udb :mailsender as equivalent to owner- for regular aliases.
Delete option 8; add option 7 that means the opposite. That is,
default to 8-bit mode; a special option is needed to
force sendmail into 7 bit mode.
Send error messages in encapsulated MIME format.
New compile flag "NIS" that turns on NIS alias and NIS map
support.
Add "j" option to send error messages in MIME (RFC 1341)
encapsulated message format per RFC 1344. The
syntax is pretty ugly if you don't have MIME-aware
user agents.
Clean up message handling (for display in mailq output).
New setproctitle implementation for 4.4bsd.
Create files (such as ~/dead.letter) using mode FileMode (the
F option value) instead of 0666.
Fix bug causing output of EXPN command to not be fully qualified.
This may cause some problems with UUCP addresses that
will require some config file assistance -- specifically,
the $: part has to include the host name for this output
to make sense.
Fix a problem that sometimes diagnosed errors and still sent the
message if the header syntax was bad.
Fix a bug that caused an error message to be emailed when sendmail
was operating in -bv mode.
Add "ListenQueueSize" keyword to daemon options option (OO) to
set the queue size parameter passed to listen(). You
will normally have to tweak your kernel to up this.
Strip spaces off of beginning of message-id before logging (in
case it was folded across lines).
Tweak compile flags in daemon.c -- there were some cases where
it wouldn't work without NETINET.
Change *file* mailer to output all the usual default headers
(From, Date, Message-Id). It gets used when sending
back error messages.
CONFIG: explicitly catch and diagnose list:; syntax in ruleset
zero -- this is not a valid recipient syntax according
to RFC 821.
CONFIG: add confMIME_FORMAT_ERRORS to send error messages in
MIME format. Defaults to on.
CONFIG: add SMTP_MAILER_FLAGS and UUCP_MAILER_FLAGS to augment
the flags for those mailers.
6.56/6.27 93/05/01
Fix problem that causes the fallback mail to postmaster
(case ESM_POSTMASTER in savemail()) to not look at
aliases (ugh).
Some more HPUX tweaking (compile flag hpux => __hpux so it
still works in ANSI mode).
Don't try to flock non-regular files when mailing to a file.
In particular, this was a problem if you tried to
send to /dev/null.
Fix a weird bug that can cause senders to be queued as
recipients if the name server is down when the mail
is initially sent. This hack just ignores sender
deletion (essentially, it sets the MeToo flag) if there
is a TEMPFAIL during processing of the sender address.
Obscure.
Fix a dangling else problem -- from Brian Bullen from University
of Stirling, UK.
Add the "b" mailer flag to force a blank line on the end of
messages. Some brilliant versions of /bin/mail insist
on this but do not add it themselves.
Add the "g" mailer flag to prevent user SMTP from sending
"MAIL From:<>". This is only intended to be a
transitional gesture, and should not be used if at
all possible. It appears that Berkeley and IDA
config files have always handled this properly; the
UK config kit apparently does not.
Don't lowercase and then capitalize header field names -- leave
them with original capitalization. Fixes from Bill
King of Allen-Bradley Company.
Further cleanup and improved reporting of error messages,
particularly conditions that cause messages to be
requeued for future delivery.
Tweak syslog priorities in some cases.
CONFIG: clean up route-addr on UUCP addresses.
6.55/6.25 93/04/27
HPUX 8.07 compatibility changes in getla() -- I had to make
these changes to get it to work at Berkeley, although
others seem to have been working before (???).
Various patches to XLA code.
Fix problem that causes setuid bit on files to be ignored from
SMTP or in queue runs. Problem noted by Jason Ornstein
of Under The Wire, Inc.
Fix problem that can cause CNAMEs to be ignored.
Generalize getmxrr to match local host in $=w instead of a
single name passed in.
Some cleanup from Eric Wassenaar:
Use FileMailer instead of ProgMailer in two places.
Eliminate duplicate 8th-bit stripping in commaize.
Fix a problem with mis-parsing of backslash escapes
under some circumstances.
NIS map fix (was always including trailing null character)
from Mike Glendinning of Ingres UK.
Add "a" mailer flag to try using ESMTP. It tries the EHLO
command and if that fails falls back to regular SMTP.
Also parses EHLO option keywords. If host supports
SIZE extension, this is added to the MAIL FROM:
command.
Extend "b" option to include a second value which is the
maximum message size this server is willing to accept.
For example, a value of "10/1000000" says that there
must be ten blocks free, and sendmail will reject
any message larger than one megabyte.
Some portability hooks for NeXT (this could be applicable
to Mach in general). You have to create an empty
file called "unistd.h" to get it to compile.
Adjust config values (MAXLINE, MAXATOM, and PSBUFSIZE) to
be more generous.
Add X400-Received: to the list of headers tagged with H_TRACE
in conf.c. From Bill King, Allen-Bradley Co.
6.54/6.25 93/04/19
Fix problem that caused redefinition of SMTP and QUEUE compile
flags. Pointed out by Jon Forrest of the Sequoia 2000
project at Berkeley.
Properly handle \! hack -- it was treating host\!user as one
token (host!user) instead of three (host, !, user).
Fix from Eric Wassenaar of NIKHEF-H.
Fix compilation problem in getauthinfo() if IDENTPROTO is off.
Turn off DEFNAMES and DNSRCH when getting the hostsignature
(i.e., MX records) in level 1 configuration files; this
matches the old behavior. From Motonori Nakamura of
Kyoto University.
Improve error message printing -- if sent through an alias,
error messages include the name of the alias in the
message. Unfortunately, in order to make this work
properly in queue runs, this changes the format of the
C line in the qf file. The relatively uselessness of
the previous information was pointed out to me by
Allan E Johannesen of WPI.
Add XLA compile flag to add hooks to Christophe Wolfhugel's
extended load average code. This is still in very early
form. For information regarding the guts of the xla
code, contact Christophe.Wolfhugel@grasp.insa-lyon.fr.
Additional hooks for detecting tempfails in rewriting rules
(that is, in map lookups).
6.53/6.25 93/04/15
Properly diagnose ruleset zero returning null (instead of a mailer
triple). From Motonori Nakamura of Kyoto University.
More generalization of socket code for other protocols.
Shorten timeouts on reverse name lookups -- since they are done
during connection establishment, long timeouts here can
cause higher level timeouts. This mainly serves to accept
mail from hosts that do not have proper reverse (PTR) DNS
records set up.
Reset e_statmsg before each mailer invocation to avoid bogus
messages in the log.
Redefine $r, $s, and $_ in error envelopes so you don't get
incorrect cruft in the error message. Problem noted by
Motonori Nakamura of Kyoto University.
Fix a problem that can cause failure to return errors to Postmaster
in certain cases. From Motonori Nakamura.
Fix a problem that can cause some systems to give duplicate error
messages when a bad syntax address such as "<a" is presented
to an SMTP server. It doesn't seem to occur on all
machines. From Motonori Nakamura.
Default IDENTPROTO off for Ultrix and HPUX, which apparently have
the interesting "feature" that when they receive a "Host
unreachable" message they closes all open connections to
that host. However, some firewall gateways send this message
if you try to connect to an unauthorized port, such as the
IDENT port (113). Thus, no email can be received from such
hosts. There is some evidence that versions of Ultrix before
4.3 do not have this problem. Thanks to Tom Ivar Helbekkmo
for pointing out this behavior to me and to Michael Corrigan
of U.C. San Diego for informing me about the HPUX problem.
Allow IPC mailers to return a colon-separated list of hosts in the
$@ clause; these are searched in order as though they were
MX records.
When sending an error report, print the list of addresses tagged
as bad. Requested by Allan E Johannesen of WPI.
Change map function calls to return a status code. This gets
passed back as the result of rewrite. Parseaddr marks
the address as a QUEUEUP address if the return code is
EX_TEMPFAIL. All this to queue properly if the name
server is down. This code is not well tested. This code
changes the interface to map lookup functions (a fifth
parameter, int *statp, is added). Feature requested by
Dan Oscarsson.
Don't delete quotes (in the dequote map) if there are spaces in
the string, since this would cause them to be replaced by
the SpaceSub character.
Accept BODY=8BITMIME on SMTP MAIL command. This isn't advertised
because the 8BIT to 7BIT translation doesn't exist yet.
This does add a "bodytype" field to both envelope and
queue file and a -B command line flag to pass the type in
during direct invocations.
Discard return error messages only on responses to responses to
responses, not on responses to responses. That is, the
algorithm is to try return to sender, then return to
postmaster, then discard. Previously it discarded
immediately if the return to sender pass failed.
CONFIG: back out change to hide unqualified hostnames behind %-hack.
This screws up local aliases and .forward files.
CONFIG: add FEATURE(nocanonify) to turn off calls to $[ ... $];
some sites only handle completely canonified names.
Requested by John Gardiner Myers of CMU.
CONFIG: some UUCP code was still included even if FEATURE(nouucp)
was specified.
6.52/6.24 93/04/10
Clean up some minor glitches on error return messages pointed out
by Motonori Nakamura of Kyoto University.
Fix reply() to not reset SmtpReplyBuffer on fatal errors; this
was supposed to reset SmtpMsg Buffer. This makes the
client side code virtually useless. Reported by Allan
E Johannesen of WPI and Phil Brandenberger of Swarthmore.
Better debug messages if fuzzy is disabled, suggested by Allan
E Johannesen of WPI.
Offset SmtpReplyBuffer by four in usersmtp when checking for
loopback. From Eric Wassenaar.
Don't set $s until after runinchild in srvrsmtp -- otherwise
it gets cleared. From Eric Wassenaar.
Implement IDA-style $&x for deferred macro expansion.
More POSIX compatibility.
CONFIG: Hide unqualified hostnames behind %-hack using $s as the
actual sender. This is only done if $r is non-null, that
is, if this is not locally submitted mail.
CONFIG: Add FEATURE(bitdomain) allowing mapping of BITNET host
names to internet domains. A program contributed by
John Gardiner Myers of CMU to create the maps is included
in the contrib directory (in the "misc" tar file).
CONFIG: Add FEATURE(uucpdomain) for a similar mapping for UUCP
hosts. There is currently no tool to create this map.
6.51/6.23 93/04/04
Add D= mailer flag to specify a path of possible working directories
in which to execute the mailer. This is intended for the
prog mailer; some shells can get upset if they don't have
access to the current directory.
Add RFC 1413 (IDENT) protocol support. This is only very loosely
tested. This adds a $_ macro to be the authenticated
info (in ``user@domain [address]'' form) and debug flag
9 to trace the protocol.
Check for loopbacks in usersmtp instead of srvrsmtp -- there is no
reason for a local agent to not be talking to the localhost
(although the inverse is not true).
Add a few hooks for automated map rebuilding. This is certainly
not done yet.
CONFIG: Have prog mailer specify a path of ``D=$z:/'' -- that is,
user's home directory then the root.
CONFIG: Log RFC 1413 identification in Received: line.
6.50/6.22 93/04/01
Fixes to requeueing code to make it compute priority, nrcpts,
and the like properly.
6.49/6.22 93/04/01
Diagnose incorrect privacy flags. Suggested by Bryan Costales
of ICSI.
Some ANSI C fixes.
Arrange to quote backslashes as well as other special characters
in the phrase part of a route-addr.
Some fixes to FallBackMX code suggested by Motonori Nakamura of
Kyoto University.
More vigorous zeroing of CurHostAddr to avoid logging of bogus
host addresses when you are actually just printing
information from the MCI structure; problem noted by
Michael Corrigan of U.C. San Diego.
Don't ignore rest of queue if any job is not runnable. This can
also cause an incorrect job to be lost. Fix from
Eric Wassenaar.
Always respond "quickly" to RCPT command; do alias expansion and
the like later. This also means that mail for lists that
have errors will be accepted, and an error sent back
later. This is done by instantiating the queue file
and then immediately running and requeueing it.
6.48/6.22 93/03/30
Fix incorrect diagnosis of infinite loop in ruleset. Problem noted
by several people.
Improve information printed when infinite loops are discovered.
Zero CurHostAddr to fix erroneous internet addresses in log when no
addresses can be bound. Pointed out by Motonori Nakamura
of Kyoto University.
"Probe" SMTP connections using RSET instead of NOOP "just in case".
Suggested by John Gardiner Myers of CMU.
Don't warn about -f if you are setting sender to yourself.
6.47/6.22 93/03/29
Fix incompatible call to endmailer in smtpquit which causes core
dumps. Noted by Allan E Johannesen of WPI.
HPUX portability changes from Michael J. Corrigan of UC San Diego.
Require MAIL before RCPT command in srvrsmtp.c. This had been
intentional from the 821 draft days when the order wasn't
clear, but is silly now.
Fix bug in nis_magic routine that was initializing parameters
incorrectly. Fix from Takahiro Kanbe of Fuji Xerox
Information Systems Co., Ltd.
Change default for PrivacyFlags in conf.c to 0 -- since it always
"or"s in new values, there was no way to turn off the
AuthWarning stuff.
Add O option to set SMTP daemon options.
Add V option to set fallback MX host. This always sorts at lower
priority than anything it gets from the name server. It
should only be used for environments with very bad network
connectivity. Requested by several people.
Log sending info. It's not clear this is a good idea.
CONFIG: fix typo in mailertable code. Noted by Phil Brandenberger
of Swarthmore.
CONFIG: add confDAEMON_OPTIONS and confFALLBACK_MX to set options
O and V, respectively.
6.46/6.21 93/03/26
Fix botch in server SMTP that broke transactions that did not
use HELO first (like MH). Fix from Michael Corrigan
of U.C. San Diego.
Fall back to other MX records if there is an error anywhere
in delivery (actually on MAIL or DATA -- RCPT is harder).
Suggested by John Gardiner Myers and Motonori Nakamura.
Revert to non-prototypes -- it turns out that our ANSI C
compiler is more forgiving than most others about
mixing prototyped extern declarations with non-prototyped
function definitions.
Fix a problem with multi-word class matching pointed out by
Neil Rickert. Given:
CX b a.b.c
R$+ $=X $+ $: $1 < $2 > $3
the input "user@a.b.c" failed instead of being properly
rewritten as "user@a.<b>.c".
Neil also convinced me that it was correct that $~ should match
only one token -- the problem is that it's always possible
to add another token, so $~ matches far too eagerly.
6.45/6.21 93/03/25
Implement multi-word classes (properly!).
6.44/6.21 93/03/25
Add X-Authentication-Warning: headers to clue users into possible
attempts to forge mail. This is on the authwarnings
privacy flag, but is the default. Suggested by Bryan
Costales of ICSI.
Pass default units for convtime in so they can be more reasonable.
Allow config files to always add a new Comments: header (i.e.,
they will be added even if an old one already exists).
Suggested by Bryan Costales of ICSI.
Allow config files to delete an existing Return-Path: header.
These should only be added at final delivery. Suggested
by Bryan Costales of ICSI.
Some debugging additions. Suggested by Bryan Costales of ICSI.
Clean up logging of Family 0 addresses. Noted by David Muir
Sharnoff and others.
Add a "dequote" map class. This allows config files to strip
quotes off of addresses. Note that this is not a builtin
map, just a class -- so you have to define the map
using the K line.
Fix a bug in the queueup() loop getting a locked tf where in
very odd cases it can fall off the bottom and core dump.
Of course, it was P{r Emanuelsson who found it....
Open a new transcript when splitting an envelope. Problem found
by Allan E Johannesen of WPI.
Improved error output in endmailer if the mailer core dumps.
CONFIG: Fix typo in UUCP mailer definition.
CONFIG: Default several of the new options on: eight bit input,
privacy flags set to "authwarnings", and message warning
set to 4h.
CONFIG: Use dequote map.
6.43/6.20 93/03/23
Fix problem with assumption of an sa_len field in a generic
sockaddr -- it turns out that most vendors haven't
picked up this (very important) fix.
Change compilation flags for daemon code -- select one or both
of NETINET or NETISO, but don't ever set DAEMON manually.
CONFIG: add FEATURE(mailertable) to do IDA-style mailertables.
6.42/6.19 93/03/19
Use Postmaster as default fallback return address, not root.
POSIX changes for file descriptor handling.
Diagnose errors writing new queue file.
If you change the owner using an owner- alias, also change the
error mode to EM_MAIL so that errors don't get dropped
into an inappropriate directory. Problem noted by
Allan E Johannesen of WPI.
If you are su'ed to root, send email as who you really are, not
as root. From Brian Kantor of U.C. San Diego.
Allow warning messages to be sent after a configurable interval
has passed without delivery. The message is sent only
once per envelope. This changes the format of the qf
file to have an F line, and the format of the T option
to accept take the format "return/warn" (both intervals).
Don't force all local names to lower case -- this was left over
from the weird handling of case mapping on aliases. It
is now driven (as expected) by the "u" mailer flag.
Problem noted by P{r Emanuelsson.
Fix problem that caused headers on returned email to be trashed;
they were getting freed, but are still accessible via
BlankEnvelope.
Fix problem that caused bogus ids to be created on returned
mail.
Add support for ISO and other non-INET networking. This is by
no means finished yet. This does assume a lot of other
system support, like a version of gethostbyname that
returns non-AF_INET addresses.
CONFIG: change default on prog mailer to keep upper case in
user names (i.e., in the program command line).
CONFIG: strip trailing dots off of hosts in uucp mailer before
convert to bang format.
CONFIG: create new "relay" mailer for $R (LOCAL_RELAY) and $H
(MAIL_HUB) delivery that doesn't add local domain. Note
that this violates 821, but is probably "more correct"
for what we are trying to do. Problem pointed out by
Michael Graff of Iowa State.
6.41/6.18 93/03/18
Clean up unnecessary creates of queue ids (i.e., empty qf files)
when not needed, such as when starting up an SMTP
connection.
Fix problem where split envelopes aren't instantiated in the queue.
This is quite a serious bug.
Owner- aliases had problems with leading spaces causing a
premature delimitation.
6.40/6.18 93/03/18
Have ending 250 (after DATA) include the id; suggested by
Brian Kantor of UC San Diego.
Add logging on envelope splitting.
Change queue ids to have one more letter encoding the hour of
the day so that during a single day there is a greater
likelihood of uniqueness; requested by Brian Kantor.
6.39/6.18 93/03/18
Fix minor compile problem if LOCKF is defined.
Define size of tobuf in conf.h. Observed by Toshinari Takahashi
of Toshiba.
Restore e_sender -- this is equivalent to e_from.q_paddr without
decorations such as angle brackets and comments.
OSF/1 on Alpha changes from Allan E Johannesen of WPI.
CONFIG: fix typo in S3 for list syntax (;: => :;). Thanks to
Christopher Hoover for noting the problem.
6.38/6.17 93/03/17
Pass envelope to disconnect to avoid another use of CurEnv, which
can apparently end up being null at inopportune times.
Log "received from" as "relay=" for consistency (suggested by
John Gardiner Myers).
Fix major bug in header handling: if no From: line existed in
the header (so sendmail inserts one), and the sender is
an alias that has an owner, the From: line shows the
owner (as well as the envelope). Fixed by early binding
the headers (which will change debugging output).
HPUX portability patches from Michael J. Corrigan of UC San Diego.
Some attempts to adapt better to out of open file conditions.
Some changes to ctladdr handling in queue files.
6.37/6.17 93/03/16
MAJOR CHANGE: delete e_sender and e_returnpath (why are these
different from e_from?) and $< macro.
Log correct IP address in relay= field even if the connection
times out.
Log "received from [RESPONSE]" on EF_RESPONSE messages (from
John Gardiner Myers).
Fixes to SysExMsg logging (sometimes just got "message: %s"
instead of "message: error message"), noted by Eric
Wassenaar. Also reported by Motonori Nakamura.
Improvements to MX piggybacking code, from Motonori Nakamura.
Fix case where CurHostName points to an auto variable that has
been deallocated (from Motonori Nakamura).
Fix bug causing newlines to be included in aliases if option
"n" (check alias RHS) is set; bug noted by David Muir
Sharnoff.
Fix problem causing user names that should be mapped to lower
case to not be mapped if they are sent during a queue
run. This greatly simplifies the case mapping code.
Problem noted by Allan E Johannesen of WPI.
Don't do recipient address rewriting in buildaddr. This
improperly did recipient rewriting on sender addresses,
and just seems bogus in general -- but the change could
break some .cf files.
Pass TZ envariable to child processes for System V.
CONFIG: allow LOCAL_RULE_1 and LOCAL_RULE_2 if you want to
define those rulesets.
KNOWN PROBLEM: I have seen some problems on SunOS that causes
the User Data Base to give errors on some addresses. I
have tracked the problem back at least as far as 93.02.15
(version 6.22). Running with debugging on makes it
go away, so I conclude that it is referencing uninitialized
stack data. I haven't been able to track this down yet.
6.36/6.16 93/03/08
Allow local mailer to specify $@host -- this lets you assign the
"foo" part of jgm+foo to $h for passing in to the local
mailer.
Additional debug printing in getcanonname (show query type).
Don't add the e_fromdomain on sender addresses -- this interacts
weirdly with the owner- code.
Improve delivery logging to not log obvious or meaningless stuff.
Include numeric IP address in Received: lines per RFC 1123 section
5.2.8.
Fixed a bug in checking stat() return value if restrictmailq is
set. Also, check the entire group set instead of just the
primary group. Both from John Gardiner Myers.
Don't have usrerr automatically print errno, since this is often
misleading.
Use transienterror() in makeconnection after connect() fails and
in openmailer after execve() fails (from Eric Wassenaar).
Also moved transienterror() from util.c to conf.c.
Clean up from= logging on response messages.
Undo patch allowing prescan to return a null vector -- it breaks
too many things.
Config: FEATURE(notsticky) lets you use UDB for everything coming
in to the machine, even if it is specifically targetted
to this machine. Without it, UDB is bypassed if the user
name is fully qualified.
Config: fix another minor botch with <> (local mailer wasn't
mapping them properly).
6.35/6.15 93/03/05
Fix getrealhostname to return null if sinlen <= 0 -- this can
occur if stdin is a pipe.
Avoid infinite loop in getcanonname if name server return
NO_DATA (for example).
Config: avoid having C flag qualify list syntax and error syntax.
6.34/6.14 93/03/05
Fix logging in deliver to not pass too many parameters to Ultrix
versions of syslog.
Don't write the pid file until after the daemon has actually
opened and conditioned the connection.
Consider addresses "different" if their q_uids differ (so that
two users forwarding to the same program will be seen
as different, rather than the same).
Fix problem with bad parameters in main() -- they set ExitStat
but don't exit.
Fix null pointer references through RealHostName -- painfully
discovered by Allan E Johannesen of WPI.
Fix bug causing user@@localhost to core dump (yuch).
Config: don't put two @host.dom.ain on users in $=E in SMTP
mailer. Also, catch user@ (no host) in ruleset 0.
6.33/6.13 93/03/03
Config: add confCW_FILE as the name of the cw configuration file
(defaults to /etc/sendmail.cw). From P{r Emanuelsson.
Allow prescan to return a pointer to an empty list -- this is
not an error. Also, clean up error reporting to avoid
double errors (prescan reports once, then the caller
reports again).
Changes to avoid trusting T_ANY queries -- run them, but if you
don't get the info you expected, do T_A and T_MX queries
anyhow. This also fixes an oversight where _res.options
bits were being ignored.
If PRIV_NOVRFY is set, use 252 response code instead of 502 per
RFC 1123 section 5.2.3. It's not 100% clear that this
is correct, but it probably works better with stupid
mailers that do a VRFY and only check the first digit.
6.32/6.12 93/03/02
Fix uninitialized variable "protocol" in smtp code.
Include <unistd.h> in sendmail.h -- move towards POSIX/ANSI.
Additional hooks for RFC 1427 (ESMTP SIZE extension). This
includes requiring that enoughspace() know the system
block size, which will undoubtedly break most ports.
Trace flag 19 in use for srvrsmtp.c.
Additional logging -- notably the sending mailer name. This
also changes the delivery logging to strict field=value
syntax.
Fix some problems with messages getting sent even to addresses
that had been marked bad -- from Eric Wassenaar.
More WIDE changes: accept host name inside [...] as non-MXed
host. This is intended ONLY for use inside firewalled
environments, where the MX points at the gateway.
Change .cf file conventions so that mapping for <> addresses
don't have an @ in them (to avoid confusing the C mailer
flag). Pointed out by Neil Rickert.
Config extensions for Sam Leffler's FlexFAX software.
6.31/6.10 93/02/28
Fix some more bugs in alias owner code -- there were some weird
cases where an error in a non-aliased name would override
the return info in an aliased name with an owner.
Changes from WIDE Project, forwarded to me by Motonori Nakamura:
Log actual delivery host (after MX et al); from
yasuhiro@dcl.co.jp.
Log daemon startup.
Deliver Postmaster copies without a body.
Better logging of SMTP senders.
Send all program email as daemon even when local.
As requested in various forms from many people, accept -qIstring
to limit queue runs to jobs with queue-id matching string.
Similarly for -qRstring for recipients, -qSstring for
senders.
Initial hooks for ESMTP support (see RFC 1425).
Fixed a syntax error in the UUCP mailer specification that caused
core dumps on startup.
Check for missing A= or P= arguments in mailer definitions.
6.30/6.10 93/02/27
Require FROZENCONFIG compilation flag to include frozen
configuration code. Frozen configuration is really
not a very good idea any more, particularly in shared
library environments.
Do better checking of errno after opens of :include: and .forward
files to defer delivery on network and other transient
errors. Suggestion from Craig Everhart.
Fix minor botch in read timeout macro processing.
Add FEATURE(nouucp) to config files for sites that know absolutely
nothing about UUCP.
Add built cf files to distribution tape and clarify how to build
them if you don't have the Berkeley make.
Some sizeof(long) portability changes for the Alpha, from Allan
E Johannesen.
Add "restrictmailq" privacy flag -- if set, only people in the same
group as your queue directory can print the queue. If you
set this, be sure you also restrict access to log files....
Fix another bug in owner-list stuff that can cause data files to
be "lost".
Fix a bug with queue runs that cause forwards to yourself to go
into alias/forwarding loops. I'm still iffy about this
fix.
Fix from Eric Wassenaar for suppression of return message code.
6.29/6.9 93/02/24
Fix yet another problem in alias owner code -- put the wrong return
address on the enclosed return-to-sender letter.
6.28/6.9 93/02/24
Fix botch in alias owner code that caused it to not operate if the
error was detected locally.
6.27/6.9 93/02/24
M_LOCAL => M_LOCALMAILER to avoid conflict with Ultrix include
file <sys/mount.h>.
Miscellaneous bug fixes from Eric Wassenaar:
sendmail -bv -t logs the from line even though in verify
mode only.
sendmail -v can go into queue mode if shouldqueue returns
TRUE.
Add route-addr pruning per RFC 1123 section 5.3.3. This can be
disabled using the "R" option.
Delete (always undocumented) -R flag (save original recipients);
there are ways to syslog(3) these now.
Clean up SMTP reply codes -- specify them as needed in the code,
instead of in conf.c -- this was needed during the NCP to
TCP transition, but seems silly now. This also changes
parameters to message and nmessage.
Have mailstats read the .cf file to find the sendmail.st file and
get text versions of mailer names. An initial version of
this code was provided by Tuominen Keijo (although the
comments indicate the good bits were written by "E.V.").
Add yet more System V compatibility hacks.
Fix bug in VRFY code (assumes everything must be a local user).
Allow specification of any of the hard-wired pathnames in the
Makefile.
Delete concept of "trusted users" -- this really didn't provide
any security anyway, and caused some problems.
Delete last vestige of support for the word "at" as an equivalent
to the character "@".
Propagate owner-foo alias information into the envelope sender.
Based on code from John Gardiner Myers. This is a major
semantic change -- beware!
Allow $@ on LHS to indicate "match zero" -- this is used to match
the null expression.
6.26/6.8 93/02/21
Don't "lose" queue runs. Very important fix from (who else?)
Eric Wassenaar.
Completely reset state on RSET command -- from Eric Wassenaar.
Send error messages and return receipts using an envelope sender
of <> regardless of the setting of $n. Rewriting rules
can undo this if they feel the necessity, as might be
needed for networks that don't understand the syntax.
This is permitted by RFC 821 section 3.6 and required by
RFC 1123 section 5.3.3. THIS REQUIRES VERSION 4 CONFIG
FILES because the rulesets must be able to parse <>
properly.
Don't ever send error messages to "<>" -- they will get sent to
the local postmaster or dumped in /usr/tmp/dead.letter
instead. Per RFC 1123 section 5.3.3.
Explicitly check for email to yourself as a dotted quad. You
have to call $[ [ ... ] $] to get this.
Up the message timeout to five days per RFC 1123 section 5.3.1.1.
Make all read timeouts individually configurable, as strongly
recommended by RFC 1123 section 5.3.2.
Use f_bavail (blocks available to regular users) instead of f_bfree
(blocks available to superuser) in free block checks.
Change $d macro to be the current time, not the origination time,
since this is consistent with how it is used now.
Generalization of enoughspace from Eric Wassenaar covering
SGI, Apollo, HPUX, Ultrix, and SunOS.
Ignore process group signals -- some front ends can do this if
you kill a window too quickly. From Eric Wassenaar.
Change umask to 022.
6.25/6.8 93/02/20
Close all cached connections before calling mailers and after
forking for delivery (caused double closes which resulted
in false errors).
Add FEATURE(redirect) in config files -- this allows you to alias
old addresses to a pointer to the new address that will
give a 551 error message, but not deliver the mail.
Some code changes to make the 551 errors look pretty.
Names of M4 program paths in config files have changed -- they
are all XXX_MAILER_PATH now, to match XXX_MAILER_FLAGS.
Fix a bug in the QSELFREF code having to do with empty .forward
files, reported by Eric Wassenaar.
Add option "p" (privacy flags); this allows you to tune how
picky the SMTP server will be. This also adds the
confPRIVACY_FLAGS M4 macro in the config files.
Add option "b" (minimum blocks free). If there are fewer than
this number of blocks free on the filesystem containing
the queue directory, the SMTP MAIL command will return
a 452 response and ask you to try again later. This
also adds the confMIN_FREE_BLOCKS M4 macro in the config
files.
Made VRFY just verify (doesn't expand aliases and .forward files);
EXPN does full expansion. RCPT in queue-only mode also
doesn't chase aliases and .forward.
6.24/6.7 93/02/19
Increase the number of domain search entries in domain.c to allow
for the extra "" entry indicating the root domain.
Reported by Motonori Nakamura of Kyoto U.
Add a "SMART_HOST" in the configs for UUCP-connected sites that
want to forward all mail with extra "@"s to that site.
Also allows SMART_HOST, LOCAL_RELAY, and MAIL_HUB to
be specified as ``mailer:hostname'' to use an alternate
mailer.
Clarified and updated some wording in the Operations Guide.
Add the "c" mailer flag -- this suppresses all comment parts of
addresses (requested by John Curran of NEARnet).
Have -v print prompts in -bt mode even if stdin is not a terminal
(default behavior is to be silent if not reading from
a terminal). Suggested by Bryan Costales, ICSI.
Move the metacharacters from C0 space (\001-\037) into C1 space
(\201-\237). This also fixes a bunch of potential bugs
with G1 characters (\240-\276) in headers relating to
negative numbers passed to isspace() et al.
Add YP_LAST_MODIFIED and YP_MASTER_NAME to DBM version of alias
database if YPCOMPAT is #defined. Enhancement from
Takahiro Kanbe of Fuji Xerox Information Systems Co., Ltd.
Add "list" Precedence (-30); this can be used with old sendmails
which will map to precedence 0 (which will return error
messages). Suggested by Stephen R. van den Berg.
Many bug fixes from Eric Wassenaar of the National Institute for
Nuclear and High-Energy Physics, Amsterdam:
Clear timeouts properly on open failures in include().
Don't dereference through NULL if no home directory found.
Re-establish SIGCHLD signal on System 5 in reapchild().
Avoid NULL pointer reference on -pFOO flag.
Properly handle backslash escapes in comments.
Correctly check reply status on SMTP NOOP command.
Properly save SMTP error message if peer gives
"Service Shutting Down" message.
Avoid writing to the transcript if it couldn't be opened.
Signal errors in SMTP children to parent properly.
Handle self references in a list more globally (include a
QSELFREF bit in the address flags). This enhancement
was suggested by Eric Wassenaar.
Use initgroups() in hpux, even though it's System-V based. The
HASINITGROUPS compile flag can set this on other systems.
This HPUX behavior was pointed out by Eric Wassenaar.
6.23/6.6 93/02/16
Clean up handling of LogLevel to make it easier to figure out
what's on what level.
Change log levels to have some consistency:
1 serious system failures, security problems
2 lost communications, protocol failures
3 other serious failures
4 minor errors
5 message collection
6 vrfy logging, creation of return-to-sender
7 delivery failures
8 delivery successes
9 delivery tempfails (queue ups)
10 database expansion
>64 debugging
Allow IDA-style separated processing on S= and R= in Mailer
definition lines. Note that rulesets 1 and 2 are
still used for both addresses as before. Bruce Lilly
gave a convincing argument that RFC976 insists on
this behavior.
Added some time zones to arpatounix -- they may not be in the
standards, but they are in use. However, I may delete
arpatounix entirely -- there appears to be no reason
for it to exist.
Change to UUCP mailer (in cf directory) to try to do a saner job.
I'm still not certain about this mailer in general.
6.22/6.5 93/02/15
Fix bug that prevents saving letters in ~/dead.letter.
Don't add angle brackets in VRFY command if angle brackets already
exist in the address.
Fix bogus error message in udbexpand.
Null terminate host buffers in buildaddr (broken in 6.21) --
IMPORTANT FIX!!
6.21/6.5 93/02/15
Fix another incorrect error message in alias.c, found by Azuma
Okamoto.
Fix a couple of problems in the more-configurable config files,
found by Tom Ivar Helbekkmo.
Fix problem with quoted :include: entries.
Don't duplicate the filename on verbose printing of .forward and
:include: contents.
Extend size of prescan buffer (to allow bigger addresses). Also,
detect some buffer overflows.
Log user SMTP protocol errors (log level 4).
6.20/6.4 93/02/14
Fix another problem in the MCI state machine caused when there
were errors generated from the other end to commands
other than RCPT.
6.19/6.4 93/02/14
Include load average support for DEC Alpha running OSF/1.
Fix multiple-response problem with errors in MAIL From: line.
Fix SMTP reply codes for invalid address syntaxes (give 501;
never give multiple error messages for a single message).
Fix problem where a cached connection timeout rejects all
later connects to that host.
Fix incorrect error message if alias.c is compiled with DBM only.
Additional changes to fix nested conditionals (from Bruce Lilly).
Recover more gracefully from operating system failures, particularly
NULL returns from openmailer (from Noritoshi Demizu,
OMRON Corporation).
Log forward, alias, and userdb expand operations on log level 10;
concept suggested by P{r (Pell) Emanuelsson.
Changes for HPUX 8.07 compatibility.
6.18/6.4 93/02/12
Allow any config option to be set using an M4 define.
Change UNAME compile flag to HASUNAME for IDA compatibility
(besides, it's a better name).
Note in README that on SunOS it must be linked -Bstatic.
Fairly major change in domain.c to handle wildcard MX records
more rationally. NOTE: the "w" option (no wildcard MX
records match local domain) has been eliminated.
Fix some unset variable references pointed out by Bruce Lilly.
Fix host name in process titles when using cached connection.
6.17/6.3 93/01/28
Fix System 5 compatibility changes to be compatible with the rest
of the world.
6.16/6.3 93/01/28
Experimental fix for problem handling errors in the SMTP
protocol in conjunction with connection caching.
System 5 compatibility changes.
6.15/6.3 93/01/26
Fix a bug that causes local mail delivered using -odq to be
eliminated as a duplicate (because it matched the
ctladdr, now passed in as a C line). These changes
are pretty tricky......
6.14/6.3 93/01/25
Add debugging for some MCI errors.
6.13/6.3 93/01/22
Fix -e compatibility flag to take a value.
Fix a couple of minor compilation warnings on Sun cc.
Improve error messages in a few cases to be more self-explanatory.
6.12/6.3 93/01/21
Fix yet-another problem with environment handling, pointed out
by Yoshitaka Tokugawa and Tom Ivar Helbekkmo.
Some heuristics to try to limit resource exhaustion problems
if a downstream host has been down for a long time.
Fix problem with incorrect host name being logged in "Connection
timed out" messages (from Tom Ivar Helbekkmo).
Fix some ANSI C problems (from Takahiro Kanbe).
Properly log message sender on returned mail during queue run.
Count number of recipients properly.
Fix a problem in yp map code.
Diagnose "message timed out" (from Motonori Nakamura).
6.11/6.3 93/01/20
Fix problem with address delimitor inside quotes.
Define $k and $=k to be the UUCP name (from the uname call)
based on code from Bruce Lilly.
6.10/6.2 93/01/18
Implement arpatounix (largely code from Bruce Lilly).
Log more info (suggested by John Myers).
Allow nested $?...$|...$. (inspired by code from Bruce Lilly of
Sony US).
POSIX compatibility (noted by Keith Bostic).
Handle SMTP MAIL command errors properly (urged by several people,
notably John Myers of CMU).
Do early diagnosis of .cf errors (notably referencing a RHS
substitution that isn't on the LHS).
Adjust checkpointing to better handle batched recipients, suggested
by John Myers.
Fix miscellaneous bugs.
(config files:) Implement MAIL_HUB for all local mail (to handle
NFS-mounted directories) as urged by Tom Ivar Helbekkmo
of the Norwegian School of Economics.
6.9/6.1 93/01/13
Environment handling simplification/bug fix -- child processes
get a minimal, fixed environment. This avoids different
behavior in queue runs.
Handle commas inside comments properly.
Properly limit large messages submitted in -obq mode.
6.8/6.1 93/01/10
Check mtime of thaw file against .cf and sendmail binary, based on
code from John Myers.
6.7/6.1 93/01/10
MX piggybacking, based on code from John Myers@CMU.
Allow checkcompat to return -1 to mean tempfail.
Bug fix in m_mno computation.
6.6/6.1 93/01/09
Tuning of queueing functions as recommended by John Gardiner Myers.
Return mail headers (no body) on messages with negative precedence.
Minor other bug fixes.
6.5/6.1 93/01/03
Fix botch causing queued headers to have ?XX? prefixes.
6.4/6.1 93/01/02
Changes to recognize special mailer types (e.g., file) early.
6.3/6.1 93/01/01
Pass timeouts to sfgets.
Check for control characters in addresses.
Fixed deferred error reporting.
Report duplicate aliases.
Handle mixed case recursive aliases.
Misc bug fixes.
6.2/6.1 92/12/30
Put return-receipt-to on a conf.c flag (but don't set it).
Fix minor syslog problem.